System providing methodology for access control with cooperative enforcement

US 7,590,684 B2
Filed: 03/17/2004
Issued: 09/15/2009
Est. Priority Date: 07/06/2001
Status: Active Grant

First Claim

Patent Images

1. A method employing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:

specifying a supplemental authentication policy to be enforced upon the client'"'"'s request to access the service, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service;

receiving a request for access to the service from the client;

attempting primary authentication of the client based on credentials presented by the client;

if the client passes primary authentication, attempting secondary authentication by testing the client'"'"'s current firewall and anti-virus measures against said policy to confirm that the client is adequately secured for accessing the service; and

if the client fails to pass both primary and secondary authentications, denying the client access to the service.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system providing methodology for access control with cooperative enforcement is described. In one embodiment, for example, a method is described for authorizing a client to access a service based on compliance with a policy required for access to the service, the method comprises steps of: specifying a policy required for access to the service; detecting a request for access to the service from a client; attempting authentication of the client based on credentials presented by the client; if the client is authenticated based on the credentials, determining whether the client is in compliance with the policy based, at least in part, on attributes of the client; and if the client is determined to be in compliance with the policy, providing access to the service.

122 Citations

View as Search Results

68 Claims

1. A method employing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:
- specifying a supplemental authentication policy to be enforced upon the client'"'"'s request to access the service, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service;
  
  receiving a request for access to the service from the client;
  
  attempting primary authentication of the client based on credentials presented by the client;
  
  if the client passes primary authentication, attempting secondary authentication by testing the client'"'"'s current firewall and anti-virus measures against said policy to confirm that the client is adequately secured for accessing the service; and
  
  if the client fails to pass both primary and secondary authentications, denying the client access to the service.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
- - 2. The method of claim 1, wherein the service comprises a remote service accessible by the client through a network.
  - 3. The method of claim 1, further comprising:
    - restricting access to the service if the client is determined to be non-compliant with said policy.
  - 4. The method of claim 3, wherein restricting access includes assigning limited access privileges to the client.
  - 5. The method of claim 3, wherein restricting access includes issuing a Kerberos ticket specifying limited access privileges if the client is determined to be non-compliant with the policy.
  - 6. The method of claim 1, wherein said policy comprises a security policy.
  - 7. The method of claim 6, wherein said security policy includes security measures required on the client.
  - 8. The method of claim 1, wherein said policy includes anti-spyware measures required on the client.
  - 9. The method of claim 1, wherein said step of providing access includes issuing a Kerberos ticket specifying access privileges provided to the client.
  - 10. The method of claim 1, wherein the policy further specifies that a selected one of a file integrity policy be in effect at the client, a file be installed at the client, a process be running at the client, a particular checksum value exist at the client, and a particular registry entry exist at the client.
  - 11. The method of claim 1, wherein said receiving step includes receiving a request for access to a server by a remote client.
  - 12. The method of claim 1, wherein said receiving step includes receiving a request for access to a service on a computer system by another process on the computer system.
  - 13. The method of claim 1, wherein said attempting primary authentication step includes authentication based on user identity.
  - 14. The method of claim 1, wherein said attempting primary authentication step includes using a selected one of Kerberos authentication, Pluggable Authentication Module (PAM) authentication, Extensible Authentication Protocol (EAP) authentication, Generic Security Service API (GSS-API) authentication, and trust negotiation in TLS (TNT) authentication.
  - 15. The method of claim 1, wherein said credentials include a selected one of a user name, a password, and a certificate.
  - 16. The method of claim 1, wherein said attempting secondary authentication step includes obtaining firewall and anti-virus information from the client.
  - 17. The method of claim 16, wherein said step of obtaining firewall and anti-virus information from the client includes requesting firewall and anti-virus information collected by a client-side component.
  - 18. The method of claim 1, wherein said attempting secondary authentication step includes substeps of:
    - providing a copy of the policy to the client; and
      
      performing a compliance check at the client to determine compliance with the policy.
  - 19. The method of claim 1, wherein said attempting secondary authentication step includes obtaining information from a security evaluation service that has previously evaluated compliance by the client with the policy.
  - 20. A computer-readable storage medium having processor-executable instructions for performing the method of claim 1.
  - 21. A downloadable set of processor-executable instructions for performing the method of claim 1.

22. A system providing supplemental authentication to prevent an inadequately secured client device from compromising a host that offers access to a service, the system comprising:
- a supplemental authentication policy specifying access privileges to be assigned to a client device based on security-related attributes of the client device that are relevant to the client device'"'"'s access of the service, said policy establishing firewall and anti-virus measures required to be installed and operational at the client device in order for the client device to be considered adequately secured to access the service;
  
  a primary authentication module for receiving a request from a given client device for access to the service and determining whether to authenticate the given client device for access to the service, wherein the given client device is denied access to the service if the primary authentication module cannot authenticate the device; and
  
  a supplemental authentication module for examining current security-related attributes of the given client device authenticated by said primary authentication module and determining whether to authenticate the given client device by testing whether the given client device'"'"'s current firewall and anti-virus measures satisfy said policy, wherein the given client device is denied access to the service if the supplemental authentication module cannot authenticate the device.
- View Dependent Claims (23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41)
- - 23. The system of claim 22, wherein said policy comprises a security policy.
  - 24. The system of claim 22, wherein said policy includes security attributes of the client device.
  - 25. The system of claim 22, wherein said supplemental authentication module determines whether specified anti-virus measures are in effect on the client device.
  - 26. The system of claim 22, wherein said supplemental authentication module examines a selected one of a file integrity policy in effect at the client device, a file installed at the client device, a process running at the client device, a particular checksum value at the client device, and a registry entry at the client device.
  - 27. The system of claim 22, wherein said primary authentication module uses a selected one of Kerberos authentication, Pluggable Authentication Module (PAM) authentication, Extensible Authentication Protocol (LAP) authentication, Generic Security Service API (GSS-API) authentication, and trust negotiation in TLS (TNT) authentication.
  - 28. The system of claim 22, wherein said primary authentication module authenticates the client device based upon user identity.
  - 29. The system of claim 28, wherein the client device provides a user name and password to said primary authentication module for authenticating user identity.
  - 30. The system of claim 28, wherein the client device provides a digital certificate to said primary authentication module for authenticating user identity.
  - 31. The system of claim 22, wherein the supplemental authentication module includes a component on the client device for collecting information about firewall and anti-virus measures.
  - 32. The system of claim 31, wherein the component on the client device evaluates the collected information about firewall and anti-virus measures at the client device for determining compliance of the client device with the policy.
  - 33. The system of claim 32, further comprising:
    - a policy server for providing the policy to the client device.
  - 34. The system of claim 22, wherein the supplemental authentication module receives information about firewall and anti-virus measures of the client device from the client device.
  - 35. The system of claim 34, wherein the client device provides information about firewall and anti-virus measures to the supplemental authentication module in response to a message from the supplemental authentication module.
  - 36. The system of claim 35, wherein said information about firewall and anti-virus measures is provided as a selected one of a text string, an Extensible Markup Language (XML) document, and an Abstract Syntax Notation One (ASN. 1) file.
  - 37. The system of claim 22, wherein the supplemental authentication module permits access to the service if the client device is in compliance with the policy.
  - 38. The system of claim 22, wherein the supplemental authentication module issues a Kerberos ticket specifying the client device'"'"'s access privileges.
  - 39. The system of claim 22, wherein the supplemental authentication module restricts access to the service if the client device is non-compliant with the policy.
  - 40. The system of claim 22, further comprising:
    - a policy server in communication with the supplemental authentication module for evaluating compliance by the client device with the policy based upon attributes of the client device.
  - 41. The system of claim 22, wherein the supplemental authentication module comprises a selected one of an anti-virus engine, a configuration checker, and a security engine.

42. A method providing supplemental authentication to prevent an inadequately secured client from compromising a host that offers a service that the client wishes to access, the method comprising:
- specifying a supplemental authentication access policy for assigning privileges to a client to use the service based on security attributes of the client, the policy establishing firewall and anti-virus measures required to be installed and operational at the client in order for the client to be considered adequately secured for accessing the service;
  
  receiving a request for use of the service from a client;
  
  attempting primary authentication of the client based on user identity information provided by the client;
  
  if the client is authenticated based on user identity, attempting supplemental authentication by testing whether the client'"'"'s current firewall and anti-virus measures satisfy said policy; and
  
  assigning privileges to the client to use the service based on whether the client'"'"'s firewall and anti-virus measures satisfy said policy, so that the client is denied access to the service if insufficient privileges are assigned.
- View Dependent Claims (43, 44, 45, 46, 47, 48, 49, 50, 51, 52, 53, 54, 55, 56, 57)
- - 43. The method of claim 42, wherein said step of assigning privileges includes blocking access to the service if the client is determined to be non-compliant with the access policy.
  - 44. The method of claim 42, wherein said step of assigning privileges includes restricting access to the service if the client is determined to be non-compliant with the access policy.
  - 45. The method of claim 42, wherein set step of assigning privileges includes issuing a Kerberos ticket to the client.
  - 46. The method of claim 42, wherein said access policy includes security measures required on the client.
  - 47. The method of claim 42, wherein said access policy includes anti-spyware measures required on the client.
  - 48. The method of claim 42, wherein said access policy includes an attribute required for the client.
  - 49. The method of claim 48, wherein said attribute includes a selected one of a file integrity policy in effect at the client, a file installed at the client, a process running at the client, a particular checksum value at the client, and a registry entry at the client.
  - 50. The method of claim 42, wherein said receiving step includes receiving a request for access to a server by a remote client.
  - 51. The method of claim 42, wherein said attempting supplemental authentication step includes requesting attribute information from the client.
  - 52. The method of claim 51, wherein the attribute information is provided as a selected one of a text string, an Extensible Markup Language (XML) document, and an Abstract Syntax Notation One (ASN. 1) file.
  - 53. The method of claim 42, wherein said attempting supplemental authentication step includes using a client-side component for collecting attribute information.
  - 54. The method of claim 53, wherein said client-side component determines whether the client is in compliance with the access policy based on the collected attribute information.
  - 55. The method of claim 53, wherein said client-side component sends the collected attribute information to a policy server for determining whether the client is in compliance with the access policy.
  - 56. A computer-readable storage medium having processor-executable instructions for performing the method of claim 42.
  - 57. A downloadable set of processor-executable instructions for performing the method of claim 42.

58. In a system comprising a client computer connecting to a service through a network, a method for regulating access to the service based on a specified supplemental authentication access policy, the policy including requirements about firewall and anti-virus measures that the client computer must meet before the client computer is provided access to the service, the method comprising:
- after initial authentication of the client computer has occurred, attempting supplemental authentication of the client computer by transmitting a challenge from the service to the client computer connecting to the service to determine whether the client computer'"'"'s current firewall and anti-virus measures satisfy the requirements of said policy;
  
  transmitting a response from the client computer back to the service, for responding to the challenge issued by the service that is attempting supplemental authentication of the client computer; and
  
  based on the response received from the client computer, blocking access to the service by the client computer if the client computer'"'"'s current firewall and anti-virus measures fail to satisfy the requirements of said policy.
- View Dependent Claims (59, 60, 61, 62, 63, 64, 65, 66, 67, 68)
- - 59. The method of claim 58, wherein said access policy includes rules that are enforced against selected ones of users, computers, and groups thereof
  - 60. The method of claim 58, wherein said challenge includes at least some rules of said access policy that are transmitted to the client computer.
  - 61. The method of claim 58, wherein said access policy is provided at the client computer.
  - 62. The method of claim 61, wherein the client computer performs a compliance check for determining compliance with the access policy and returns the compliance check result in response to the challenge.
  - 63. The method of claim 58, wherein said policy further specifies that a selected one of a file integrity policy be in effect at the client computer, a file be installed at the client computer, a process be running at the client computer, a particular checksum value exist at the client computer, and a particular registry entry exist at the client computer.
  - 64. The method of claim 58, further comprising:
    - otherwise, permitting access to the service by the client computer.
  - 65. The method of claim 64, wherein permitting the client computer to access the service includes assigning access privileges based on the response received from the client computer.
  - 66. The method of claim 65, wherein assigning access privileges includes issuing a Kerberos ticket for providing said access privileges to the client computer.
  - 67. A downloadable set of processor-executable instructions for performing the method of claim 58.
  - 68. A computer-readable storage medium having processor-executable instructions for performing the method of claim 58.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Original Assignee
Check Point Software Technologies Incorporated (Check Point Software Technologies Limited)
Inventors
Herrmann, Conrad K.
Primary Examiner(s)
Jean; Frantz B

Application Number

US10/708,660
Publication Number

US 20040167984A1
Time in Patent Office

2,008 Days
Field of Search

709/203, 709/217, 709/219, 713/150, 713/182, 713/188, 726/6, 726/10
US Class Current

709/203
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0807   using tickets, e.g. Kerbero...

H04L 63/083   using passwords cryptograph...

H04L 63/20   for managing network securi...

System providing methodology for access control with cooperative enforcement

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

122 Citations

68 Claims

Specification

Use Cases

Quick Links

Others

System providing methodology for access control with cooperative enforcement

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

122 Citations

68 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others