Network policy evaluation

US 7,592,906 B1
Filed: 06/05/2006
Issued: 09/22/2009
Est. Priority Date: 06/05/2006
Status: Active Grant

First Claim

Patent Images

1. A device, comprising:

an interface to;

send network communication policy information to an evaluation module, where the network communication policy information is related to a plurality of network policies,receive a plurality of results from the evaluation module, where the plurality of results indicates whether a status of a network source device complies with the plurality of network policies, andsend an instruction to a network destination device that is to implement at least a subset of the network policies with respect to the network source device based on the instruction.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A device may include an interface to send policy information to an evaluation module, where the policy information is related to a group of policies, and receive a group of results from the evaluation module, where the group of results indicates whether the status of a source device complies with the group of policies. The interface may send an instruction to a destination device configured to implement at least a subset of the policies with respect to the source device based on the instruction.

Citations

38 Claims

1. A device, comprising:
- an interface to;
  
  send network communication policy information to an evaluation module, where the network communication policy information is related to a plurality of network policies,receive a plurality of results from the evaluation module, where the plurality of results indicates whether a status of a network source device complies with the plurality of network policies, andsend an instruction to a network destination device that is to implement at least a subset of the network policies with respect to the network source device based on the instruction.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The device of claim 1, where the status is related to a health of the network source device, used to transmit information.
  - 3. The device of claim 1, where the network communication policy information includes a policy identifier, a policy name, policy contents, or a link.
  - 4. The device of claim 1, where the evaluation module is a plug-in module to receive network communication policy information for at least two network policies in parallel.
  - 5. The device of claim 1, where the evaluation module determines the plurality of results at substantially the same time.
  - 6. The device of claim 1, where the evaluation module maintains the plurality of network policies in a computer-readable medium.
  - 7. The device of claim 1, where the evaluation module is operating on the device.
  - 8. The device of claim 1, where the evaluation module is connected to the device from a remote location.
  - 9. The device of claim 1, where the evaluation module communicates with the device via an application program interface.
  - 10. The device of claim 1, where the evaluation module communicates with the device via a protocol.
  - 11. The device of claim 1, where the network destination device is a network device operating as a policy enforcement point.
  - 12. The device of claim 1, where the device allows the network source device to communicate with a protected device when the network source device complies with at least one of the plurality of network policies.
  - 13. The device of claim 1, where the interface receives measurement information related to a status of the network source device and sends the measurement information to the evaluation module.

14. A network device, comprising:
- an interface to;
  
  receive instructions related to network policies determined by a server with respect to a protected network device, where the instructions are related to policy results produced by an evaluation module operating in conjunction with the server,receive a message from an endpoint, where the message is intended for the protected network device, andforward the message to the protected network device when the endpoint complies with at least a subset of the network policies.
- View Dependent Claims (15, 16)
- - 15. The network device of claim 14, where the network device operates between a first network that is connected to the endpoint and a second network that is connected to the protected network device.
  - 16. The network device of claim 14, where the network device enforces a first set of network policies on behalf of the server and enforces a second set of network policies on behalf of another network device.

17. A module, comprising:
- interface logic to;
  
  receive network communication information identifying a plurality of network policies related to a network client device, andsend policy results to a host device, where the policy results are related to the network client device; and
  
  evaluation logic to;
  
  process policy contents based on the network communication information, andproduce the network policy results based on the processing of the policy contents, where the network policy results are used by the host device to implement the network policies with respect to a network destination device when the network client device attempts to communicate with the network destination device.
- View Dependent Claims (18, 19, 20, 21, 22)
- - 18. The module of claim 17, where the interface logic includes an application program interface.
  - 19. The module of claim 17, where the evaluation logic processes the policy contents in parallel.
  - 20. The module of claim 17, where the evaluation logic processes the policy contents in serial.
  - 21. The module of claim 17, where the module is to:
    - produce second network policy results based on other information, where the second network policy results are produced on behalf of another network device.
  - 22. The module of claim 17, further comprising:
    - storage logic to;
      
      store or retrieve data associated with each of the plurality of network policies.

23. A method, comprising:
- sending network communication policy information to a module via an interface;
  
  receiving network policy results from the module in response to sending the network communication policy information; and
  
  sending an enforcement instruction to a network device based on the received network policy results, where the enforcement instruction causes the network device to allow a device to access a network resource when the device complies with at least one of a plurality of network policies that are related to the network communication policy information.
- View Dependent Claims (24, 25, 26, 27, 28, 29)
- - 24. The method of claim 23, further comprising:
    - receiving network access information about the network device operating on a first network; and
      
      generating the enforcement instruction for use with the network device and a second network.
  - 25. The method of claim 23, where the sending network communication policy information comprises:
    - sending policy identifiers, policy contents, policy names or links.
  - 26. The method of claim 23, where the receiving network policy results from the module further comprises:
    - receiving network policy results from a plug-in module or a remote module.
  - 27. The method of claim 23, further comprising:
    - sending at least a subset of the network access policy results, a remediation instruction, a link to remediation information, or an authorization mechanism to the network device.
  - 28. The method of claim 23, where the enforcement instruction further allows the device to access the entire network resource or a portion of the network resource when the device complies with at least one of the plurality of network policies.
  - 29. The method of claim 23, further comprising:
    - receiving measurements related to the device, where the device is subject to the enforcement instruction.

30. A device, comprising:
- a module to;
  
  receive network device measurements,retrieve information related to a plurality of network communication policies pertaining to the health of the network device,retrieve at least a subset of the network communication policies based on the information,process the measurements with the at least a subset of the network communication policies to determine the health of the network device,generate network policy results representing the health of the network device based on the processing, andsend the network policy results to a component in the device, where the results are used by the component to allow the network device to perform an operation when the health of the network device meets a determined threshold.

31. A computer readable memory device that stores instructions executable by a processing device, the computer readable memory device comprising:
- instructions for receiving network communication policy information;
  
  instructions for retrieving a plurality of network policies based on the network communication policy information;
  
  instructions for determining whether a network device complies with the plurality of network policies;
  
  instructions for producing policy results based on the determining; and
  
  instructions for sending the policy results to a policy decision point that is to implement at least a subset of the network policies on behalf of a destination.

32. A device, comprising:
- means for receiving measurements from a network source device via a first network;
  
  means for sending the measurements and network policy information to a module;
  
  means for receiving a plurality of network policy results from the module, where the plurality of network policy results are based on processing the measurements with a plurality of network policies identified by network policy information; and
  
  means for sending network policy enforcement instructions to a network device to allow the network source device to communicate with a network protected device via a second network when the network source device complies with at least a subset of the plurality of network policies.

33. A module, comprising:
- interface logic to;
  
  receive measurements related to a client device, where the measurements are used to enforce a network policy with respect to the client device,receive network communication information identifying a plurality of network policies related to the client device, andsend network policy results to a host device, where the network policy results are related to the client device;
  
  storage logic to;
  
  store or retrieve network policy contents for the plurality of network policies; and
  
  evaluation logic to;
  
  process the measurements and the network policy contents based on the network communication information, andproduce the network policy results based on the processing, where the network policy results are used by the host device to implement the network policies with respect to a destination device and with respect to the client device.

34. A network device, comprising:
- a module to;
  
  retrieve data communication information related to a plurality of network policies pertaining to the health of the network device, retrieve at least a subset of the policies based on the data communication information,determine the health of the network device using the subset of the network policies,generate policy results representing the health of the network device, andsend the policy results to a component in the network device, where the results are used by the component to allow the network device to perform an operation when the health of the network device meets a determined threshold.

35. A method, comprising:
- receiving policy information related to a network source device used to transmit information via an interface;
  
  identifying a plurality of policies related to the policy information;
  
  processing the policy information using the plurality of policies;
  
  determining policy results based on the processing; and
  
  sending the policy results to a destination for use in enforcing at least a subset of the plurality of policies with respect to the network source device.
- View Dependent Claims (36, 37, 38)
- - 36. The method of claim 35, where the processing further comprises:
    - simultaneously processing the policy information.
  - 37. The method of claim 35, where the processing further comprises:
    - sequentially processing the policy information.
  - 38. The method of claim 35, where the receiving further comprises:
    - receiving policy information pertaining to the plurality of network policies.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Hanna, Stephen R., Chickering, Roger Allen
Primary Examiner(s)
La; Anh V

Application Number

US11/422,109
Time in Patent Office

1,205 Days
Field of Search

340/506, 340/286.02, 434/236, 434/238, 434/235, 128/920, 128/923, 709/225, 709/200, 709/223, 709/229
US Class Current

340/506
CPC Class Codes

H04L 63/0227 Filtering policies mail mes...

H04L 63/20 for managing network securi...

Network policy evaluation

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

Citations

38 Claims

Specification

Solutions

Use Cases

Quick Links

Network policy evaluation

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

38 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links