System providing methodology for access control with cooperative enforcement
First Claim
1. A method employing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:
- specifying a supplemental authentication policy to be enforced upon the client'"'"'s request to access the service, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service;
receiving a request for access to the service from the client;
attempting primary authentication of the client based on credentials presented by the client;
if the client passes primary authentication, attempting secondary authentication by testing the client'"'"'s current firewall and anti-virus measures against said policy to confirm that the client is adequately secured for accessing the service; and
if the client fails to pass both primary and secondary authentications, denying the client access to the service.
4 Assignments
0 Petitions
Accused Products
Abstract
A system providing methodology for access control with cooperative enforcement is described. In one embodiment, for example, a method is described for authorizing a client to access a service based on compliance with a policy required for access to the service, the method comprises steps of: specifying a policy required for access to the service; detecting a request for access to the service from a client; attempting authentication of the client based on credentials presented by the client; if the client is authenticated based on the credentials, determining whether the client is in compliance with the policy based, at least in part, on attributes of the client; and if the client is determined to be in compliance with the policy, providing access to the service.
122 Citations
68 Claims
-
1. A method employing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:
-
specifying a supplemental authentication policy to be enforced upon the client'"'"'s request to access the service, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service; receiving a request for access to the service from the client; attempting primary authentication of the client based on credentials presented by the client; if the client passes primary authentication, attempting secondary authentication by testing the client'"'"'s current firewall and anti-virus measures against said policy to confirm that the client is adequately secured for accessing the service; and if the client fails to pass both primary and secondary authentications, denying the client access to the service. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A system providing supplemental authentication to prevent an inadequately secured client device from compromising a host that offers access to a service, the system comprising:
-
a supplemental authentication policy specifying access privileges to be assigned to a client device based on security-related attributes of the client device that are relevant to the client device'"'"'s access of the service, said policy establishing firewall and anti-virus measures required to be installed and operational at the client device in order for the client device to be considered adequately secured to access the service; a primary authentication module for receiving a request from a given client device for access to the service and determining whether to authenticate the given client device for access to the service, wherein the given client device is denied access to the service if the primary authentication module cannot authenticate the device; and a supplemental authentication module for examining current security-related attributes of the given client device authenticated by said primary authentication module and determining whether to authenticate the given client device by testing whether the given client device'"'"'s current firewall and anti-virus measures satisfy said policy, wherein the given client device is denied access to the service if the supplemental authentication module cannot authenticate the device. - View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
-
-
42. A method providing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:
-
specifying a supplemental authentication access policy for assigning privileges to a client to use the service based on security attributes of the client, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service; receiving a request for use of the service from a client; attempting primary authentication of the client based on user identity information provided by the client; if the client is authenticated based on user identity, attempting supplemental authentication by testing whether the client'"'"'s current firewall and anti-virus measures satisfy said policy; and assigning privileges to the client to use the service based on whether the client'"'"'s firewall and anti-virus measures satisfy said policy, so that the client is denied access to the service if insufficient privileges are assigned. - View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
-
-
58. In a system comprising a client computer connecting to a service through a network, a method for regulating access to the service based on a specified supplemental authentication access policy, the policy including requirements about firewall and anti-virus measures that the client computer must meet before the client computer is provided access to the service, the method comprising:
-
after initial authentication of the client computer has occurred, attempting supplemental authentication of the client computer by transmitting a challenge from the service to the client computer connecting to the service to determine whether the client computer'"'"'s current firewall and anti-virus measures satisfy the requirements of said policy; transmitting a response from the client computer back to the service, for responding to the challenge issued by the service that is attempting supplemental authentication of the client computer; and based on the response received from the client computer, blocking access to the service by the client computer if the client computer'"'"'s current firewall and anti-virus measures fail to satisfy the requirements of said policy. - View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
-
Specification