System and methods for providing network quarantine
First Claim
1. A system for providing quarantine on a network comprising:
- a client device seeking access to a network resource, the client device configured to;
perform a first plurality of checks specified by a first manifest,store a first status report at the client device, the first status report specifying results of the first plurality of checks, andsend a Bill of Health (BoH) request that contains the first status report;
a first server device that;
receives the BoH request sent by the client device,determines whether the first status report indicates that the client device passed all of the checks specified by a second manifest that specifies a second plurality of checks that the client device must perform,sends to the client device the second manifest when the first status report indicates that the client device did not pass all of the checks specified by the second manifest,receives, from the client device, a second status report that indicates results of the client device performing the second plurality of checks,stores a Bill of Health (BoH) for the client device when the second status report indicates that the client device passed all of the checks in the second plurality of checks, the BoH comprising a creation time of the BoH, an expiration date of the BoH, a manifest version identifier that identifies a version number of the second manifest, and an integrity check;
if the results of the second plurality of checks show that the client device passed all of the checks in the second plurality of checks, sends, to the client device, a certificate that provides proof that the client device possesses a required configuration, the certificate comprising a serial number of the BoH, an address of the first server device, and a digital signature; and
a second server device that;
receives a request for access to the network resource from the client device, the request including the certificate,uses the serial number in the certificate and the address of the first server device to retrieve the BoH from the first server device,uses the digital signature of the certificate to determine whether any part of the certificate has been modified after the certificate was issued by the first server device,after retrieving the BoH, uses the integrity check to determine whether the BoH has been tampered,determines whether the expiration date of the BoH has passed,determines whether the manifest version identifier identifies a most recent manifest version number,provides access to the network resource when the second server device determines that the certificate has not been modified after the certificate was issued by the first server device, that the BoH has not been tampered, that the expiration date for the BoH has not passed, and that the manifest version identifier specifies the most recent manifest version number,wherein the second server device denies the client device access to the network resource when the second server device determines that the certificate has been modified after the certificate was issued by the first server device, that the BoH has been tampered, that the expiration date for the BoH has passed, or that the manifest version identifier does not identify the most recent manifest version number;
wherein the client device periodically requests that the certificate be updated by the first server device, regardless of whether the client device sends further requests for access to the network resource to the second server device.
3 Assignments
0 Petitions
Accused Products
Abstract
A client quarantine agent requests bill of health from a quarantine server, and receives a manifest of checks that the client computer must perform. The quarantine agent then sends a status report on the checks back to the quarantine server. If the client computer is in a valid security state, the bill of health is issued to the client. If the client computer is in an invalid state, the client is directed to install the appropriate software/patches to achieve a valid state. When a client requests the use of network resources from a network administrator, the network administrator requests the client'"'"'s bill of health. If the bill of health is valid, the client is admitted to the network. If the bill of health is invalid, the client is placed in quarantine.
135 Citations
16 Claims
-
1. A system for providing quarantine on a network comprising:
-
a client device seeking access to a network resource, the client device configured to; perform a first plurality of checks specified by a first manifest, store a first status report at the client device, the first status report specifying results of the first plurality of checks, and send a Bill of Health (BoH) request that contains the first status report; a first server device that; receives the BoH request sent by the client device, determines whether the first status report indicates that the client device passed all of the checks specified by a second manifest that specifies a second plurality of checks that the client device must perform, sends to the client device the second manifest when the first status report indicates that the client device did not pass all of the checks specified by the second manifest, receives, from the client device, a second status report that indicates results of the client device performing the second plurality of checks, stores a Bill of Health (BoH) for the client device when the second status report indicates that the client device passed all of the checks in the second plurality of checks, the BoH comprising a creation time of the BoH, an expiration date of the BoH, a manifest version identifier that identifies a version number of the second manifest, and an integrity check; if the results of the second plurality of checks show that the client device passed all of the checks in the second plurality of checks, sends, to the client device, a certificate that provides proof that the client device possesses a required configuration, the certificate comprising a serial number of the BoH, an address of the first server device, and a digital signature; and a second server device that; receives a request for access to the network resource from the client device, the request including the certificate, uses the serial number in the certificate and the address of the first server device to retrieve the BoH from the first server device, uses the digital signature of the certificate to determine whether any part of the certificate has been modified after the certificate was issued by the first server device, after retrieving the BoH, uses the integrity check to determine whether the BoH has been tampered, determines whether the expiration date of the BoH has passed, determines whether the manifest version identifier identifies a most recent manifest version number, provides access to the network resource when the second server device determines that the certificate has not been modified after the certificate was issued by the first server device, that the BoH has not been tampered, that the expiration date for the BoH has not passed, and that the manifest version identifier specifies the most recent manifest version number, wherein the second server device denies the client device access to the network resource when the second server device determines that the certificate has been modified after the certificate was issued by the first server device, that the BoH has been tampered, that the expiration date for the BoH has passed, or that the manifest version identifier does not identify the most recent manifest version number; wherein the client device periodically requests that the certificate be updated by the first server device, regardless of whether the client device sends further requests for access to the network resource to the second server device. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method for a client device to acquire access to a network resource, comprising:
-
performing, at the client device, a first plurality of checks specified by a first manifest; storing a first status report at the client device, the first status report specifying results of the first plurality of checks; sending a Bill of Health (BoH) request that contains the first status report from the client device to a first server device; receiving, at the client device, a second manifest of checks from the first server device when the first server device determines that the first status report indicates that the client device did not pass all of the checks specified by the second manifest, wherein the checks of the second manifest determine whether the client device possesses a required configuration; performing, at the client device, the checks in the second manifest of checks; sending, from the client device to the first server device, a second status report that indicates results of the checks of the second manifest; receiving, at the client device from the first server device, a certificate that provides proof that the client device possesses the required configuration, wherein the certificate comprises a serial number of a BoH for the client device stored at the first server device, an address of the first server device, and a digital signature, and wherein the BoH comprises a creation time of the BoH, an expiration date for the BoH, a manifest version identifier that identifies a version number of the second manifest, and an integrity check; sending, from the client device to a second server device that controls access to the network resource, a request for access to the network resource; sending from the client device to the second server device, the certificate; receiving, at the client device, access to the network resource when the certificate has not been modified after the certificate was issued by the first server device, the BoH has not been tampered, the expiration date for the BoH has not passed, and the manifest version identifier of the BoH identifies a most recent manifest version number; periodically requesting, from the client device, that the certificate be updated by the first server device, regardless of whether the client device sends further requests for access to the network resource to the second server device. - View Dependent Claims (11, 12)
-
-
13. A method for quarantining a client device from access to a network resource, comprising:
-
receiving, at a first server device, a request for access to the network resource from the client device; receiving, at the first server device from the client device, a certificate that provides proof that the client device has a required configuration, wherein the certificate specifies a serial number of a Bill of Health (BoH) generated by a trusted server device that only generates the BoH when the trusted server device receives, from the client device, a status report that indicates results of checks specified in a manifest sent to the client device by the trusted server device and the results of the checks show that the client device passed all the checks; sending, from the first server device to the trusted server device, a request for the BoH, the request for the BoH specifying the serial number of the BoH; receiving, at the first server device, the BoH, the BoH specifying a creation time of the BoH, an expiration date for the BoH, a manifest version identifier that specifies a version number of the manifest, and an integrity check; validating, at the first server device, the certificate when the certificate has not been modified after the certificate was issued by the trusted server device, the BoH has not been tampered, the expiration date of the BoH has not passed, and the manifest version identifier specifies a most recent manifest version number; if the certificate is valid, allowing the client device access to the network resource; if the certificate is invalid, denying the client device access to the network resource; and wherein the trusted server device periodically receives from the client device a request that the certificate be updated, regardless of further requests for access to the network resource. - View Dependent Claims (14)
-
-
15. One or more computer readable storage media having computer-executable instructions that, when executed by a processing unit in a client device, cause the client device to perform a method for the client device to acquire access to a network resource, the method comprising the steps of:
-
performing, at the client device, a first plurality of checks specified by a first manifest; storing a first status report at the client device, the first status report specifying results of the first plurality of checks; sending a Bill of Health (BoH) request that contains the first status report from the client device to a first server device; receiving, at the client device, a second manifest of checks from the first server device when the first server device determines that the first status report indicates that the client device did not pass all of the checks specified by the second manifest, wherein the checks of the second manifest determine whether the client device possesses a required configuration of installed software; performing, at the client device, the checks in the second manifest of checks; sending a second status report that indicates results of the checks of the second manifest from the client device to the first server device; receiving, at the client device from the first server device, a certificate that provides proof that the client device possesses the required configuration, wherein the certificate comprises a serial number of a BoH for the client device stored at the first server device, an address of the first server device, and a digital signature, and wherein the BoH comprises a creation time of the BoH, an expiration date for the BoH, a manifest version identifier that identifies a version number of the second manifest, and an integrity check; sending, from the client device to a second server device that controls access to the network resource, a request to access to the network resource; sending, from the client device to the second server device, the certificate; receiving, at the client device, access to the network resource when the certificate has not been modified after the certificate was issued by the first server device, the BoH has not been tampered, the expiration date for the BoH has not passed, and the manifest version identifier of the BoH identifies a most recent manifest version number; and periodically sending, from the client device to the first server device, a request to update the certificate, regardless of further requests for access to the network resource.
-
-
16. A system for a client device to acquire access to a network resource, comprising:
-
a processing unit; and a memory coupled with and readable by the processing unit and having stored therein instructions which, when executed by the processing unit, cause a module to perform the following acts; performing, at the client device, a first plurality of checks specified by a first manifest; storing a first status report at the client device, the first status report specifying results of the first plurality of checks; sending a Bill of Health (BoH) request that contains the first status report from the client device to a first server device; receiving, at the client device, a second manifest of checks from the first server device when the first server device determines that the first status report indicates that the client device did not pass all of the checks specified by the second manifest, wherein the checks of the second manifest determine whether the client device possesses a required configuration; performing, at the client device, the checks in the second manifest of checks; sending, from the client device to the first server device, a second status report that indicates results of the checks of the second manifest; receiving, at the client device from the first server device, a certificate that provides proof that the client device possesses the required configuration, wherein the certificate comprises a serial number of a BoH for the client device stored at the first server device, an address of the first server device, and a digital signature, and wherein the BoH comprises a creation time of the BoH, an expiration date for the BoH, a manifest version identifier that identifies a version number of the second manifest, and an integrity check; storing the certificate at the client device; sending, from the client device to a second server device that controls access to the network resource, a request to access the network resource; determining, at the client device, whether the certificate stored at the client device is valid; sending, from the client device to the first server device, a request to update the proof if the certificate is no longer valid; sending, from the client device to the second server device, the certificate of the required configuration; and periodically sending, from the client device to the first server device, requests to update the certificate, regardless of further requests for access to the network resource.
-
Specification