Systems and methods of controlling network access
DCFirst Claim
Patent Images
1. A network gatekeeper comprising:
- at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset of a protected network;
a policy auditor configured to audit the access device using the at least one security policy, in response to a request to access the less-restricted subset of the protected network, the request being sent from the access device to the gatekeeper via a communication device; and
an access control configured to reconfigure the communication device such that data sent from the access device is received by the less-restricted subset of the protected network rather than merely a restricted subset of the protected network, if the audit results in a determination that the access device meets the requirements of the at least one security policy, the restricted subset of the protected network including the gatekeeper.
2 Assignments
Litigations
2 Petitions
Accused Products
Abstract
A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.
91 Citations
82 Claims
-
1. A network gatekeeper comprising:
-
at least one security policy including requirements that must be satisfied before an access device is granted access to a less-restricted subset of a protected network; a policy auditor configured to audit the access device using the at least one security policy, in response to a request to access the less-restricted subset of the protected network, the request being sent from the access device to the gatekeeper via a communication device; and an access control configured to reconfigure the communication device such that data sent from the access device is received by the less-restricted subset of the protected network rather than merely a restricted subset of the protected network, if the audit results in a determination that the access device meets the requirements of the at least one security policy, the restricted subset of the protected network including the gatekeeper. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26)
-
-
27. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper; applying a security policy to the access device, responsive to the request; reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied; reading an administrator specified configuration of the communication port from the access point; and storing the read administrator specified configuration.
-
-
28. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper; applying a security policy to the access device, responsive to the request; reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied; and communicating between the gatekeeper and an agent executing on the access device to monitor security status of the access device after reconfiguring the communication port for communicating between the access device and the less-restricted subset. - View Dependent Claims (29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39)
-
-
40. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper; applying a security policy to the access device, responsive to the request; reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied; and selecting the security policy from among a plurality of security policies, the selecting being responsive to an identity of elements within the less-restricted subset of the protected network to which access is requested.
-
-
41. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper; applying a security policy to the access device, responsive to the request; reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied; and updating the access device if requirements of the security policy are not satisfied. - View Dependent Claims (42, 43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55)
-
-
56. A method of granting access to a protected network, the method comprising:
-
receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper and being characterized by an access control list, the access to the restricted subset of the protected network being responsive to a VLAN configured to communicate with the protected network subject to the access control list; applying a security policy to the access device, responsive to the request; and reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied.
-
-
57. A method of granting access to a protected network, the method comprising:
-
receiving a first communication from an access device at a communication port, the communication port being configured to pass the first communication to a restricted subset of the protected network, the restricted subset including a gatekeeper configured to enforce a security policy for access to a less-restricted subset of the protected network; receiving a command from the gatekeeper, the command being responsive to the received first communication and being configured to reconfigure the communication port to communicate data to the less-restricted subset of the protected network; configuring the communication port to communicate data to the less-restricted subset of the protected network rather than merely the restricted subset of the protected network, responsive to the received command; and receiving a second communication from the access device at the communication port, the communication port now being configured to pass the second communication to the less-restricted subset of the protected network. - View Dependent Claims (58, 59, 60, 61, 62, 63, 64, 65, 66, 67, 68, 69, 70, 71, 72)
-
-
73. A computing network comprising:
-
elements configured to communicate with one or more access devices using at least a communication port of an access point, the elements including at least a gatekeeper; means for dividing the elements of the computing network into a restricted subset and a less-restricted subset, the restricted subset including one or more elements of the computing network configured to communicate with access devices having an unknown security status, and the less-restricted subset including one or more elements of the computing network not included in the restricted subset; means for receiving a request at the restricted subset, the request being to access the less-restricted subset; means for enforcing a security policy in response to the request; and means for granting access to the less-restricted subset via the communication port of the access point, responsive to the enforcement of the security policy, the access to the less-restricted subset including communication to the less-restricted subset not necessarily passing through the restricted subset. - View Dependent Claims (74, 75, 76, 77, 78, 79, 80, 81)
-
-
82. A computer readable medium including computer code configured for controlling access to a computer network, the computer code comprising:
-
a code segment configured for receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper; a code segment configured for applying a security policy to the access device, responsive to the request; a code segment configured for reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, if requirements of the security policy are satisfied; a code segment configured for reading an administrator specified configuration of the communication port from the access point; and a code segment configured for storing the read administrator specified configuration.
-
Specification