Wireless manager and method for configuring and securing wireless access to a network

US 7,469,139 B2
Filed: 05/24/2005
Issued: 12/23/2008
Est. Priority Date: 05/24/2004
Status: Active Grant

First Claim

Patent Images

1. A wireless manager for configuring and securing wireless access to a network, the wireless manager adapted to:

intercept a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;

automatically identify a security profile based on the characteristics describing the mobile device, the security profile including one or more security parameters defining an access zone for the network;

automatically provision at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone; and

authorize the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network, wherein the connection profile enforces the security parameters defining the access zone by instructing the mobile device to;

automatically collect security information;

encrypt the collected security information; and

provide the encrypted security information to the wireless manager.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

The disclosure provides a wireless manager operable to receive a request from a mobile device to wirelessly communicate with an enterprise network, with the request including information operable to dynamically identify a location of the mobile device. The wireless manager is further operable to automatically associate an access zone with the mobile device with the access zone comprising at least one logical characteristic, compare the location information to the associated access zone, and, if the location information indicates that the mobile device does not violate the access zone, authorize wireless communications with the enterprise network.

453 Citations

35 Claims

1. A wireless manager for configuring and securing wireless access to a network, the wireless manager adapted to:
- intercept a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically identify a security profile based on the characteristics describing the mobile device, the security profile including one or more security parameters defining an access zone for the network;
  
  automatically provision at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone; and
  
  authorize the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network, wherein the connection profile enforces the security parameters defining the access zone by instructing the mobile device to;
  
  automatically collect security information;
  
  encrypt the collected security information; and
  
  provide the encrypted security information to the wireless manager.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The wireless manager of claim 1, further adapted to:
    - monitor the characteristics describing the mobile device; and
      
      invoke at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone.
  - 3. The wireless manager of claim 2, wherein the invoked action includes at least one of:
    - commanding the mobile device to disable wireless access to the network;
      
      disabling wireless access to the network for the mobile device;
      
      commanding the mobile device to block access to the network through at least one of a specified port, Internet Protocol address, or access point;
      
      disabling access to the network from at least one of a specified port, Internet Protocol address, or access point;
      
      commanding the mobile device to disable at least one of Internet or network file sharing;
      
      ordisabling at least one of Internet sharing or network file sharing on the network.
  - 4. The wireless manager of claim 2, further adapted to dynamically determine the action to be invoked based on a role of an end user logged in to the network through the mobile device.
  - 5. The wireless manager of claim 2, wherein one or more of the monitored characteristics violate the access zone when the location of the mobile device is within the access zone.
  - 6. The wireless manager of claim 1, further adapted to present to an administrator a graphical user interface (GUI), the GUI including a graphical representation of the access zone and displaying the mobile device and the access zone on an interactive map of the network.
  - 7. The wireless manager of claim 1, wherein the in-house security parameters define the access zone according to a three-dimensional geographical space, and wherein at least one of the in-house security parameters or the on-the-road security parameters define the access zone according to one or more of authorized end users, authorized SSID, BSSID, or ESSID access points, authorized ports, authorized Internet Protocol addresses, authorized locations, or authorized times.
  - 8. The wireless manager of claim 1, wherein the characteristics describing the mobile device include a wireless access point to which the mobile device is connected, the wireless manager further adapted to:
    - determine that the mobile device has connected to a new wireless access point; and
      
      automatically update at least one of the security profile or the connection profile based on one or more characteristics of the new wireless access point.
  - 9. The wireless manager of claim 1, further adapted to:
    - manage firmware of the mobile device based on the characteristics describing the mobile device, wherein managing the firmware includes at least one of registering a firmware version, scheduling a firmware delivery, rolling back firmware, or communicating a firmware update to the mobile device for automatic installation.
  - 10. The wireless manager of claim 1, comprising a wireless agent installed at the mobile device.
  - 11. The wireless manager of claim 10, wherein the location remote from the network includes a network provided by a third party.
  - 12. The wireless manager of claim 1, the collected security information including at least one of:
    - networks previously visited by the mobile device;
      
      types of access points previously used by the mobile device;
      
      performance metrics of the mobile device;
      
      intrusion attempts against the mobile device;
      
      orindications that a user of the mobile device attempted to bypass one or more of the security profile or the connection profile.
  - 13. The wireless manager of claim 1, wherein the mobile device provides the encrypted security information to the wireless manager when the location of the mobile device is within the network, the wireless manager further adapted to decrypt the encrypted security information and store the decrypted security information for subsequent processing.

14. A method for configuring and securing wireless access to a network, comprising:
- intercepting a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically identifying a security profile based on the characteristics describing the mobile device, the security profile including one or more security parameters defining an access zone for the networks;
  
  automatically provisioning at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone; and
  
  authorizing the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network, wherein the connection profile enforces the security parameters defining the access zone by instructing the mobile device to;
  
  automatically collect security information;
  
  encrypt the collected security information; and
  
  provide the encrypted security information to a wireless manager.
- View Dependent Claims (15, 16, 17, 18, 19, 20, 21, 22)
- - 15. The method of claim 14, further comprising:
    - monitoring the characteristics describing the mobile device; and
      
      invoking at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone.
  - 16. The method of claim 15, wherein the invoked action includes at least one of:
    - commanding the mobile device to disable wireless access to the network;
      
      disabling wireless access to the network for the mobile device;
      
      commanding the mobile device to block access to the network through at least one of a specified port, Internet Protocol address, or access point;
      
      disabling access to the network from at least one of a specified port, internet Protocol address, or access point;
      
      commanding the mobile device to disable at least one of Internet or network file sharing;
      
      ordisabling at least one of Internet sharing or network file sharing on the network.
  - 17. The method of claim 15, further comprising dynamically determining the action to be invoked based on a role of an end user logged in to the network through the mobile device.
  - 18. The method of claim 15, wherein one or more of the monitored characteristics violate the access zone when the location of the mobile device is within the access zone.
  - 19. The method of claim 14, further comprising presenting to an administrator a graphical user interface (GUI), the GUI including a graphical representation of the access zone and displaying the mobile device and the access zone on an interactive map of the network.
  - 20. The method of claim 14, wherein the in-house security parameters define the access zone according to a three-dimensional geographical space, and wherein at least one of the in-house security parameters or the on-the-road security parameters define the access zone according to one or more of authorized end users, authorized SSID, BSSID, or ESSID access points, authorized ports, authorized Internet Protocol addresses, authorized locations, or authorized times.
  - 21. The method of claim 14, wherein the characteristics describing the mobile device include a wireless access point to which the mobile device is connected, the method further comprising:
    - determining that the mobile device has connected to a new wireless access point; and
      
      automatically update at least one of the security profile or the connection profile based on one or more characteristics of the new wireless access point.
  - 22. The method of claim 14, further comprising:
    - managing firmware of the mobile device based on the characteristics describing the mobile device, wherein managing the firmware includes at least one of registering a firmware version, scheduling a firmware delivery, rolling back firmware, or communicating a firmware update to the mobile device for automatic installation.

23. A system for configuring and securing wireless access to a network, comprising:
- a memory storing at least one security profile, the security profile including one or more security parameters defining an access zone for a network, wherein at least one of the security parameters define the access zone according to a three-dimensional geographical space; and
  
  one or more processors operable to;
  
  intercept a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically provision at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone; and
  
  authorize the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network, wherein the connection profile enforces the security parameters defining the access zone by instructing the mobile device to;
  
  automatically collect security information,encrypt the collected security information, andprovide the encrypted security information to a wireless manager.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32)
- - 24. The system of claim 23, the one or more processors further operable to:
    - monitor the characteristics describing the mobile device; and
      
      invoke at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone.
  - 25. The system of claim 24, wherein the invoked action includes at least one of:
    - commanding the mobile device to disable wireless access to the network;
      
      disabling wireless access to the network for the mobile device;
      
      commanding the mobile device to block access to the network through at least one of a specified port, Internet Protocol address, or access point;
      
      disabling access to the network from at least one of a specified port, Internet Protocol address, or access point;
      
      commanding the mobile device to disable at least one of Internet sharing or network file sharing;
      
      ordisabling at least one of Internet sharing or network file sharing on the network.
  - 26. The system of claim 24, the one or more processors further operable to dynamically determine the action to be invoked based on a role of an end user logged in to the network through the mobile device.
  - 27. The system of claim 24, wherein one or more of the monitored characteristics violate the access zone when the location of the mobile device is within the access zone.
  - 28. The system of claim 23, the one or more processors further operable to present to an administrator a graphical user interface (GUI), the GUI including a graphical representation of the access zone and displaying the mobile device and the access zone on an interactive map of the network.
  - 29. The system of claim 28, wherein the in-house security parameters define the access zone according to a three-dimensional geographical space, and wherein at least one of the in-house security parameters or the on-the-road security parameters define the access zone according to one or more of authorized end users, authorized SSID, BSSID, or ESSID access points, authorized ports, authorized Internet Protocol addresses, authorized locations, or authorized times.
  - 30. The system of claim 23, wherein the characteristics describing the mobile device include a wireless access point to which the mobile device is connected, the one or more processors are further operable to:
    - determine that the mobile device has connected to a new wireless access point; and
      
      automatically update at least one of the security profile or the connection profile based on one or more characteristics of the new wireless access point.
  - 31. The system of claim 23, the one or more processors further operable to:
    - manage firmware of the mobile device based on the characteristics describing the mobile device, wherein managing the firmware includes at least one of registering a firmware version, scheduling a firmware delivery, rolling back firmware, or communicating a firmware update to the mobile device for automatic installation.
  - 32. The system of claim 23, wherein the physical characteristic describes the location of the mobile device according to an expected x, y, z position of the mobile device with a projection onto an xy-plane.

33. A wireless manager for configuring and securing wireless access to a network, the wireless manager adapted to:
- intercept a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically identify a security profile based on the characteristics describing the mobile device, the security profile including one or more security parameters defining an access zone for the network;
  
  automatically provision at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone;
  
  authorize the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network;
  
  monitor the characteristics describing the mobile device;
  
  invoke at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone; and
  
  dynamically determine the action to be invoked based on a role of an end user logged in to the network through the mobile device.

34. A method for configuring and securing wireless access to a network, comprising:
- intercepting a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically identifying a security profile based on the characteristics describing the mobile device, the security profile including one or more security parameters defining an access zone for the network;
  
  automatically provisioning at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone;
  
  authorizing the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network;
  
  monitoring the characteristics describing the mobile device;
  
  invoking at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone; and
  
  dynamically determining the action to be invoked based on a role of an end user logged in to the network through the mobile device.

35. A system for configuring and securing wireless access to a network, comprising:
- a memory storing at least one security profile, the security profile including one or more security parameters defining an access zone for a network, wherein at least one of the security parameters define the access zone according to a three-dimensional geographical space; and
  
  one or more processors operable to;
  
  intercept a request from a mobile device to wirelessly communicate with a network, the request including one or more characteristics dynamically describing the mobile device, wherein the characteristics describing the mobile device include at least one of a physical characteristic or a logical characteristic describing a location of the mobile device;
  
  automatically provision at least one connection profile to the mobile device based on the characteristics describing the mobile device, the connection profile configuring one or more of the characteristics describing the mobile device to enforce the security parameters defining the access zone;
  
  authorize the mobile device to wirelessly communicate with the network from within the access zone, wherein the security parameters include one or more in-house security parameters in effect when the location of the mobile device is within the network and one or more on-the-road security parameters in effect when the location of the mobile device is remote from the network;
  
  monitor the characteristics describing the mobile device;
  
  invoke at least one action when one or more of the monitored characteristics violate one or more of the security parameters defining the access zone; and
  
  dynamically determine the action to be invoked based on a role of an end user logged in to the network through the mobile device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Google LLC (Alphabet Inc.)
Original Assignee
Computer Associates Think Inc. (Broadcom, Inc.)
Inventors
van de Groenendaal, Joannes G.
Primary Examiner(s)
Bost; Dwayne D
Assistant Examiner(s)
Ewart; James D

Application Number

US11/136,216
Publication Number

US 20050260973A1
Time in Patent Office

1,309 Days
Field of Search

455/410, 455/411, 455/422.1, 455/456.1, 455/457, 455/432.3, 455/435.2, 455/447, 455/552.1, 455/78, 455/88, 455/114.14, 455/230, 455/415, 455/433, 455/456.2, 455/456.3, 455/556.2, 455/268, 370/15.02, 370/114.14, 370/118, 370/121.06, 370/221.08, 370/901, 709/217, 709/219, 709/225, 709/229, 713/182, 726/2, 726/3, 726/7, 726/17
US Class Current

455/411
CPC Class Codes

H04L 63/102   Entity profiles

H04L 67/564   Enhancement of application ...

H04M 1/67   by electronic means

H04M 1/72406   by software upgrading or do...

H04M 1/72451   according to schedules, e.g...

H04M 1/72457   according to geographic loc...

H04M 1/72463   to restrict the functionali...

H04W 12/06   Authentication

H04W 12/08   Access security

H04W 12/37   Managing security policies ...

H04W 12/64   using geofenced areas

H04W 12/73   Access point logical identity

H04W 4/021   Services related to particu...

H04W 48/04   based on user or terminal l...

H04W 8/205   Transfer to or from user eq...

H04W 84/12   WLAN [Wireless Local Area N...

Wireless manager and method for configuring and securing wireless access to a network

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

453 Citations

35 Claims

Specification

Solutions

Use Cases

Quick Links

Wireless manager and method for configuring and securing wireless access to a network

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

453 Citations

35 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links