System and method for secure network connectivity

US 7,360,237 B2
Filed: 07/30/2004
Issued: 04/15/2008
Est. Priority Date: 07/30/2004
Status: Expired due to Fees

First Claim

Patent Images

1. A method of allowing a remote computer access to an internal network, comprising:

receiving an access request from the remote computer;

requesting and receiving configuration information representing a configuration state of the remote computer, the requested configuration information based at least on the access request received from the remote computer;

determining remote computer compliance with a security policy based at least on the information received from the remote computer;

requesting and receiving additional configuration information representing a configuration state of the remote computer if the remote computer is not in compliance with the security policy, the additional configuration information request based at least on the received configuration information and the security policy; and

allowing the remote computer access to the internal network if the remote computer is in compliance with the security policy.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and method to ensure that a remote computer making a VPN connection complies with network security policies. Server-driven security checks may be configured to verify compliance with each access level before access is granted at that level. The security checks may be selected based at least according to the information received from the remote computer. After the server determines that the remote computer complies with the security policy for the requested access level, the server may pass a token to the remote computer, or may grant VPN access to the remote computer. If the remote computer does not comply with the security policy associated with the requested access level but is in compliance with a security policy corresponding to a lower access level, the server may grant the remote computer access to the lower access level.

Citations

48 Claims

1. A method of allowing a remote computer access to an internal network, comprising:
- receiving an access request from the remote computer;
  
  requesting and receiving configuration information representing a configuration state of the remote computer, the requested configuration information based at least on the access request received from the remote computer;
  
  determining remote computer compliance with a security policy based at least on the information received from the remote computer;
  
  requesting and receiving additional configuration information representing a configuration state of the remote computer if the remote computer is not in compliance with the security policy, the additional configuration information request based at least on the received configuration information and the security policy; and
  
  allowing the remote computer access to the internal network if the remote computer is in compliance with the security policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1 further comprising denying access to the internal network if the received additional configuration information of the remote computer includes a prohibited configuration state.
  - 3. The method of claim 1, wherein the step of allowing the remote computer access to the internal network includes transmitting an access token to the remote computer.
  - 4. The method of claim 3, wherein a token server not connected to the internal network transmits the access token to the remote computer.
  - 5. The method of claim 3, wherein the step of allowing the remote computer access to the internal network further includes receiving the access token at a bridge server connected to the internal network.
  - 6. The method of claim 3, wherein the access token expires after a predetermined period of time.
  - 7. The method of claim 3, wherein the access request includes a requested access level, the requested access level selected from a plurality of access levels maintained by the internal network, each of the plurality of access levels authorizing a level of access to a network resource.
  - 8. The method of claim 7, wherein the transmitted access token includes a granted access level.
  - 9. The method of claim 8, wherein the granted access level is not the requested access level when, based on the received configuration information, the remote computer does not comply with a security policy associated with the requested access level but does comply with a security policy associated with the granted access level.
  - 10. The method of claim 1, wherein the access request includes a requested user profile, the user profile corresponding to a requested access level of a server on the internal network.
  - 11. The method of claim 10, wherein the step of determining remote computer compliance with a security policy includes evaluating the access request for compliance with at least one of a plurality of access levels of the server on the internal network, the at least one of the plurality of access levels being based, in part, on the requested user profile and the configuration information of the remote computer.
  - 12. The method of claim 10, wherein the step of allowing the remote computer access to the internal network includes transmitting an access token to the remote computer, wherein the transmitted access token includes a granted user profile.
  - 13. The method of claim 12, wherein the granted user profile is not the requested user profile when, based on the received configuration information, the remote computer does not comply with a security policy associated with the requested user profile but does comply with a security policy associated with the granted user profile.

14. A method of accessing an internal network from a remote computer, comprising:
- (a) transmitting an access request to a token server, wherein the token server is not connected to the internal network;
  
  (b) receiving from the token server a request for configuration information representing a configuration state of the remote computer;
  
  (c) transmitting the configuration information of the remote computer to the token server;
  
  (d) receiving from the token server a request for additional configuration information representing a configuration state of the remote computer;
  
  (e) repeating steps (b)-(d) until an access token is received from the token server; and
  
  (f) transmitting the access token to a bridge server connected to the internal network to access the internal network.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, wherein the access token expires after a predetermined period of time.
  - 16. The method of claim 14, wherein the access request includes a requested access level, the requested access level selected from a plurality of access levels maintained by the internal network, each of the plurality of access levels authorizing a level of access to a network resource.
  - 17. The method of claim 16, wherein the received access token includes a granted access level.
  - 18. The method of claim 17, wherein the granted access level is not the requested access level when, based on the transmitted configuration information, the remote computer does not comply with a security policy associated with the requested access level but does comply with a security policy associated with the granted access level.
  - 19. The method of claim 14, wherein the access request includes a requested user profile, the user profile corresponding to a requested access level of a server on the internal network.
  - 20. The method of claim 19, wherein the token server determines compliance of the remote computer with a security policy by evaluating the access request for compliance with at least one of a plurality of access levels of the server on the internal network, the at least one of the plurality of access levels being based, in part, on the requested user profile and the configuration information of the remote computer.
  - 21. The method of claim 19, wherein the received access token includes a granted user profile.
  - 22. The method of claim 21, wherein the granted user profile is not the requested user profile when, based on the transmitted configuration information, the remote computer does not comply with a security policy associated with the requested user profile but does comply with a security policy associated with the granted user profile.

23. A method for providing access to a server on an internal network, comprising:
- receiving a validation token request from a remote computer, the validation token request including configuration information representing a configuration state of the remote computer;
  
  evaluating the validation token request for compliance with a security policy, the security policy based, in part, on a configuration of the remote computer;
  
  if the validation token request does not comply with the security policy, transmitting a request for additional configuration information representing a configuration state of the remote computer, receiving the additional configuration information of the remote computer, and evaluating the received additional configuration information of the remote computer for compliance with the security policy;
  
  repeating the transmitting, receiving, and evaluating steps until a level of compliance with the security policy is determined;
  
  transmitting an access token specifying an access level based on the determined level of compliance; and
  
  processing a server login request, the server login request including the access token.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35)
- - 24. The method of claim 23, wherein the additional con figuration information request is based at least on a previous token request.
  - 25. The method of claim 23, wherein a token server not connected to the internal network transmits the access token to the remote computer.
  - 26. The method of claim 23, wherein a bridge server connected to the internal network processes the server login request.
  - 27. The method of claim 23, wherein the step of evaluating the received additional configuration information includes denying access to the server on the internal network if the received additional configuration information includes a prohibited configuration state.
  - 28. The method of claim 23, wherein the validation token request includes a requested access level, the requested access level selected from a plurality of access levels maintained by the internal network, each of the plurality of access levels authorizing a level of access to a network resource.
  - 29. The method of claim 28, wherein the access level specified by the access token is not the requested access level when, based on the received configuration information, the remote computer does not comply with the security policy associated with the requested access level but does comply with a security policy associated with the access level specified by the access token.
  - 30. The method of claim 28 further comprising the step of updating the plurality of access levels as new information becomes available, thereby ensuring security compliance without updating information on one or more remote computers.
  - 31. The method of claim 28, wherein the plurality of access levels include full level access, intermediate level access, low level access, and no access, to the network resource.
  - 32. The method of claim 23, wherein the validation token request includes a requested user profile, the user profile corresponding to a requested access level of the server on the internal network.
  - 33. The method of claim 32, wherein the step of evaluating the validation token request for compliance with the security policy includes evaluating the validation token request for compliance with at least one of a plurality of access levels of the server on the internal network, the at least one of the plurality of access levels being based, in part, on the requested user profile and the configuration information of the remote computer.
  - 34. The method of claim 33, wherein the transmitted access token includes a granted user profile.
  - 35. The method of claim 34, wherein the granted user profile is not the requested user profile when, based on the received configuration information, the remote computer does not comply with a security policy associated with the requested user profile but does comply with a security policy associated with the granted user profile.

36. A method of accessing a server on an internal network from a remote computer, comprising:
- transmitting a validation token request to a token server, the validation token request including configuration information representing a configuration state of the remote computer, wherein the token server is not connected to the internal network;
  
  if the validation token request does not comply with a security policy, receiving from the token server a request for additional configuration information representing a configuration state of the remote computer and transmitting to the token server the additional configuration information of the remote computer;
  
  repeating the receiving and transmitting steps until a level of compliance with the security policy is determined;
  
  receiving from the token server an access token specifying an access level based on the determined level of compliance; and
  
  transmitting the access token to a bridge server connected to the internal network to access the internal network.
- View Dependent Claims (37, 38, 39, 40, 41, 42, 43, 44)
- - 37. The method of claim 36, wherein the additional configuration information request is based at least on a previous token request.
  - 38. The method of claim 36, wherein the validation token request includes a requested access level, the requested access level selected from a plurality of access levels maintained by the internal network, each of the plurality of access levels authorizing a level of access to a network resource.
  - 39. The method of claim 38, wherein the access level specified by the access token is not the requested access level when, based on the transmitted configuration information, the remote computer does not comply with the security policy associated with the requested access level but does comply with a security policy associated with the access level specified by the access token.
  - 40. The method of claim 38, wherein the plurality of access levels include full level access, intermediate level access, low level access, and no access, to the network resource.
  - 41. The method of claim 36, wherein the validation token request includes a requested user profile, the user profile corresponding to a requested access level of the server on the internal network.
  - 42. The method of claim 41, wherein the token server determines compliance of the remote computer with a security policy by evaluating the access request for compliance with at least one of a plurality of access levels of the server on the internal network, the at least one of the plurality of access levels being based, in part, on the requested user profile and the configuration information of the remote computer.
  - 43. The method of claim 42, wherein the received access token includes a granted user profile.
  - 44. The method of claim 43, wherein the granted user profile is not the requested user profile when, based on the transmitted configuration information, the remote computer does not comply with a security policy associated with the requested user profile but does comply with a security policy associated with the granted user profile.

45. A computer program product including a computer readable medium having stored thereon computer executable instructions that, when executed on a computer, configure a computer to perform a method of allowing access to an internal network by a remote computer comprising the steps of:
- receiving an access request from the remote computer;
  
  requesting and receiving configuration information representing a configuration state of the remote computer, the requested configuration information based at least on the access request received from the remote computer;
  
  determining remote computer compliance with a security policy based at least on the information received from the remote computer;
  
  requesting and receiving additional configuration information representing a configuration state of the remote computer if the remote computer is not in compliance with the security policy, the additional configuration information request based at least on the received configuration information and the security policy; and
  
  allowing the remote computer access to the internal network if the remote computer is in compliance with the security policy.

46. A computer program product including a computer readable medium having stored thereon computer executable instructions that, when executed on a computer, configure a remote computer to perform a method of accessing an internal network comprising the steps of:
- (a) transmitting an access request to a token server, wherein the token server is not connected to the internal network;
  
  (b) receiving from the token server a request for configuration information representing a configuration state of the remote computer;
  
  (c) transmitting the configuration information of the remote computer to the token server;
  
  (d) receiving from the token server a request for additional configuration information representing a configuration state of the remote computer;
  
  (e) repeating steps (b)-(d) until an access token is received from the token server; and
  
  (f) transmitting the access token to a bridge server connected to the internal network to access the internal network.

47. A computer program product including a computer readable medium having stored thereon computer executable instructions that, when executed on a computer, configure a computer to perform a method of providing access to a server on an internal network comprising the steps of:
- receiving a validation token request from a remote computer, the validation token request including configuration information representing a configuration state of the remote computer;
  
  evaluating the validation token request for compliance with a security policy, the security policy based, in part, on a configuration of the remote computer;
  
  if the validation token request does not comply with the security policy, transmitting a request for additional configuration information representing a configuration state of the remote computer, receiving the additional configuration information of the remote computer, and evaluating the received additional configuration information of the remote computer for compliance with the security policy;
  
  repeating the transmitting, receiving, and evaluating steps until a level of compliance with the security policy is determined;
  
  transmitting an access token specifying an access level based on the determined level of compliance; and
  
  processing a server login request, the server login request including the access token.

48. A computer program product including a computer readable medium having stored thereon computer executable instructions that, when executed on a computer, configure a remote computer to perform a method of accessing a server on an internal network comprising the steps of:
- transmitting a validation token request to a token server, the validation token request including configuration information representing a configuration state of the remote computer, wherein the token server is not connected to the internal network;
  
  ,if the validation token request does not comply with a security policy, receiving from the token server a request for additional configuration information representing a configuration state of the remote computer and transmitting to the token server the additional configuration information of the remote computer;
  
  repeating the receiving and transmitting steps until a level of compliance with the security policy is determined;
  
  receiving from the token server an access token specifying an access level based on the determined level of compliance; and
  
  transmitting the access token to a bridge server connected to the internal network to access the internal network.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Barclays Capital Incorporated (Barclays PLC)
Original Assignee
Lehman Brothers Incorporated (Barclays PLC)
Inventors
Engle, Michael T., Nwokobia, Frederick, Noack, Bradley D., Makowiecki, Jerzy
Primary Examiner(s)
Barron, Jr., Gilberto
Assistant Examiner(s)
LEMMA, SAMSON B

Application Number

US10/903,941
Publication Number

US 20070101405A1
Time in Patent Office

1,355 Days
Field of Search

726 1- 2, 726/9, 726/12, 726/15, 726/18
US Class Current

726/1
CPC Class Codes

H04L 63/0272   Virtual private networks

H04L 63/102   Entity profiles

H04L 63/105   Multiple levels of security

H04L 63/108   when the policy decisions a...

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

System and method for secure network connectivity

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

48 Claims

Specification

Solutions

Use Cases

Quick Links

System and method for secure network connectivity

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

48 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links