Enforcement of compliance with network security policies

US 7,249,187 B2
Filed: 11/27/2002
Issued: 07/24/2007
Est. Priority Date: 11/27/2002
Status: Active Grant

First Claim

Patent Images

1. A computer-implemented method for enforcing a set of security policies associated with a protected network, the method comprising the steps of:

receiving a request for a network address from a client;

determining whether the client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client; and

responsive to the client'"'"'s being in compliance with the set of security policies, assigning the client a logical address on the protected network.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods, apparati, and computer program products enforce computer network security policies by assigning network membership to a client (105) based on the client'"'"'s compliance with the security policies. When a client (105) requests (305) a network address, the DHCP proxy (110) intercepts the request and assigns (350) that client (105) a logical address on the protected network (140) if the client (105) is in compliance with the security policies. If the client (105) is not in compliance with the security policies, in various embodiments, the DHCP proxy (110) assigns (350) the client (105) an address on a restricted network (145) or no network address at all.

217 Citations

46 Claims

1. A computer-implemented method for enforcing a set of security policies associated with a protected network, the method comprising the steps of:
- receiving a request for a network address from a client;
  
  determining whether the client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client; and
  
  responsive to the client'"'"'s being in compliance with the set of security policies, assigning the client a logical address on the protected network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, further comprising the step of:
    - responsive to the client'"'"'s not being in compliance with the set of security policies, denying the client'"'"'s request for a network address.
  - 3. The method of claim 1, further comprising the step of:
    - responsive to the client'"'"'s not being in compliance with the set of security policies, assigning the client a logical address on a restricted network.
  - 4. The method of claim 3, wherein the restricted network provides access to a number of resources necessary for complying with the set of security policies.
  - 5. The method of claim 1, wherein determining whether the client is in compliance with the set of security policies comprises retrieving compliance data for the client from a database, the compliance data indicating whether the client is in compliance with the set of security policies.
  - 6. The method of claim 1, wherein the set of security policies includes one or more rules related to installation on the client of security software, including at least one of:
    - anti-virus software and personal firewall software.
  - 7. The method of claim 6, wherein the set of security policies further includes one or more rules related to an update for the security software.
  - 8. The method of claim 1, wherein the set of security policies include rules related to:
    - installation on the client of licensed software; and
      
      available site licenses for the licensed software.
  - 9. The method of claim 1, further comprising the step of:
    - responsive to receiving a first request for a network address from the client, assigning the client a logical address on a restricted network.
  - 10. The method of claim 1, wherein the set of security policies further includes one or more rules related to a configuration of software on the client.

11. A computer-implemented method for enforcing a set of security policies associated with a protected network, the method comprising the steps of:
- receiving compliance data indicating whether a client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client;
  
  storing the compliance data for later access;
  
  responsive to a DHCP request for an IP address from the client, retrieving the compliance data related to the client; and
  
  responsive to the retrieved compliance data'"'"'s indicating that the client is in compliance with the set of security policies, assigning the client a logical address on the protected network.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 12. The method of claim 11, further comprising the step of:
    - responsive to the retrieved compliance data'"'"'s indicating that the client is not in compliance with the set of security policies, denying the client'"'"'s DHCP request for an IP address.
  - 13. The method of claim 11, further comprising the step of:
    - responsive to the retrieved compliance data'"'"'s indicating that the client is not in compliance with the set of security policies, assigning the client a logical address on a restricted network.
  - 14. The method of claim 13, wherein the restricted network provides access to a number of resources necessary for complying with the set of security policies.
  - 15. The method of claim 13, further comprising the step of:
    - responsive to receiving a DHCP request from a second non-compliant client, assigning the second non-compliant client a logical address on a second restricted network.
  - 16. The method of claim 11, wherein the protected network is a virtual local area network (VLAN).
  - 17. The method of claim 11, wherein the compliance data includes:
    - whether the client is in compliance with the set of security policies; and
      
      a media access control (MAC) address associated with the client.
  - 18. The method of claim 11, wherein the set of security policies includes one or more rules related to installation on the client of security software, including at least one of:
    - anti-virus software and personal firewall software.
  - 19. The method of claim 18, wherein the set of security policies further includes one or more rules related to an update for the security software.
  - 20. The method of claim 11, further comprising the steps of:
    - receiving an updated set of security policies; and
      
      transmitting the updated set of security policies to the client.
  - 21. The method of claim 11, wherein the set of security policies further includes one or more rules related to a configuration of software on the client.

22. A computer program product comprising a computer-readable medium containing computer program code for enforcing a set of security policies associated with a protected network, the computer program code comprising instructions for performing the steps of:
- receiving a request for a network address from a client;
  
  determining whether the client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client; and
  
  responsive to the client'"'"'s being in compliance with the set of security policies, assigning the client a logical address on the protected network.
- View Dependent Claims (23, 24, 25, 27)
- - 23. The computer program product of claim 22, the computer program code further comprising instructions for performing the step of:
    - responsive to the client'"'"'s not being in compliance with the set of security policies, denying the client'"'"'s request for a network address.
  - 24. The computer program product of claim 22, the computer program code further comprising instructions for performing the step of:
    - responsive to the client'"'"'s not being in compliance with the set of security policies, assigning the client a logical address on a restricted network.
  - 25. The computer program product of claim 22, wherein the set of security policies includes one or more rules related to installation on the client of security software, including at least one of:
    - anti-virus software and personal firewall software.
  - 27. The computer program product of claim 22, the computer program code further comprising instructions for performing the step of:
    - responsive to receiving a first request for a network address from the client, assigning the client a logical address on a restricted network.

26. The computer program product of 25, wherein the set of security policies further includes one or more rules related to an update for the security software.

28. The computer program product of 22, wherein the set of security policies further includes one or more rules related to a configuration of software on the client.

29. A computer program product comprising a computer-readable medium containing computer program code for enforcing a set of security policies associated with a protected network, the computer program code comprising instructions for performing the steps of:
- receiving compliance data indicating whether a client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client;
  
  storing the compliance data for later access;
  
  responsive to a DHCP request for an IP address from the client, retrieving the compliance data related to the client; and
  
  responsive to the retrieved compliance data'"'"'s indicating that the client is in compliance with the set of security policies, assigning the client a logical address on the protected network.
- View Dependent Claims (30, 31, 32, 33, 34, 35, 36)
- - 30. The computer program product of claim 29, the computer program code further comprising instructions for performing the step of:
    - responsive to the retrieved compliance data'"'"'s indicating that the client is not in compliance with the set of security policies, denying the client'"'"'s DHCP request for an IP address.
  - 31. The computer program product of claim 29, the computer program code further comprising instructions for performing the step of:
    - responsive to the retrieved compliance data'"'"'s indicating that the client is not in compliance with the set of security policies, assigning the client a logical address on a restricted network.
  - 32. The computer program product of claim 31, the computer program code further comprising instructions for performing the step of:
    - responsive to receiving a DHCP request from a second non-compliant client, assigning the second non-compliant client a logical address on a second restricted network.
  - 33. The computer program product of claim 29, wherein the compliance data includes:
    - whether the client is in compliance with the set of security policies; and
      
      a media access control (MAC) address associated with the client.
  - 34. The computer program product of claim 29, wherein the set of security policies includes one or more rules related to installation on the client of security software, including at least one of:
    - anti-virus software and personal firewall software.
  - 35. The computer program of claim 34, wherein the set of security policies further includes or more rules to an update for the security software.
  - 36. The computer program product of claim 29, wherein the set of security policies further includes one or more rules related to a configuration of software on the client.

37. A DHCP proxy device for enforcing a set of security policies associated with a protected network, the proxy device comprising:
- a DHCP request interface module configured to receive a DHCP request for an IP address from a client; and
  
  a client compliance module coupled to the DHCP request interface module, the client compliance module configured to retrieve, responsive to the DHCP request, compliance data, the compliance data indicating whether the client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client;
  
  wherein, responsive to the retrieved compliance data'"'"'s indicating that the client is in compliance with the set of security policies, the DHCP request interface module assigns the client a logical address on the protected network.
- View Dependent Claims (38, 39, 40, 41, 42)
- - 38. The proxy device of claim 37, wherein the DHCP request interface module is coupled to a DHCP server for the protected network, and the DHCP request interface module obtains the logical address on the protected network from the DHCP server for the protected network.
  - 39. The proxy device of claim 37, wherein the client compliance module is adapted to communicate with a compliance registration manager, the compliance registration manager storing compliance data for each of a plurality of clients.
  - 40. The proxy device of claim 39, wherein the client compliance module retrieves compliance data for a particular client by querying the compliance registration manager using a MAC address associated with the client.
  - 41. The proxy device of claim 37, wherein, responsive to the retrieved compliance data'"'"'s indicating that the client is not in compliance with the set of security policies, the DHCP request interface module performs at least one of the steps:
    - denying the client'"'"'s DHCP request for an IP address;
      
      assigning the client a logical address on a restricted network.
  - 42. The proxy device of claim 37, further comprising:
    - a policy data module coupled to the client compliance module, the policy data module for storing the set of security policies;
      
      a policy manager module coupled to the policy data module, the policy manger module configured to send the set of security policies to the client upon the occurrence of at least one of;
      
      a DHCP request;
      
      a request for the security policies; and
      
      predetermined times.

43. A system comprising:
- a protected network having associated therewith a set of security policies;
  
  a compliance registration manager for storing compliance data associated with a plurality of clients, the compliance data for each client indicating whether the client is in compliance with the set of security policies, wherein the set of security policies includes at least one rule that evaluates a client'"'"'s compliance based on a configuration of the client; and
  
  a DHCP proxy coupled to the compliance registration manager for retrieving compliance data therefrom, the DHCP proxy further coupled to the protected network, the DHCP proxy configured to intercept a DHCP request for an IP address from a particular client, and further configured to assign that client a logical address on the protected network upon the condition that the client is in compliance with the security policies.
- View Dependent Claims (44, 45, 46)
- - 44. The system of claim 43, further comprising:
    - a client security policy verification module coupleable to the DHCP proxy and executable by a client, the client security policy verification module configured to determine the client'"'"'s compliance with the set of security policies and communicate compliance data associated with that client to the compliance registration manager.
  - 45. The system of claim 43, further comprising:
    - a restricted network coupled to the DHCP proxy;
      
      wherein, responsive to a DHCP request for an IP address from a particular client, the DHCP proxy is configured to assign that client a logical address on the restricted network on the condition that the client is not in compliance with the security policies.
  - 46. The system of claim 45, wherein the protected network and restricted network are virtual local area networks (VLANs).

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Vogel, Greg, McCorkendale, Bruce, Sobel, William E
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
Parthasarathy; Pramila

Application Number

US10/305,622
Publication Number

US 20040103310A1
Time in Patent Office

1,700 Days
Field of Search

None
US Class Current

709/229
CPC Class Codes

H04L 63/105 Multiple levels of security

H04L 63/20 for managing network securi...

Enforcement of compliance with network security policies

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

217 Citations

46 Claims

Specification

Solutions

Use Cases

Quick Links

Enforcement of compliance with network security policies

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

217 Citations

46 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links