Client compliancy in a NAT environment

US 7,694,343 B2
Filed: 11/09/2005
Issued: 04/06/2010
Est. Priority Date: 11/27/2002
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing client compliance in a network address translation (NAT) environment on a network, comprising:

storing non-compliance data in a NAT device, the non-compliance data including identifiers of non-compliant devices within the NAT environment behind the NAT device;

receiving a query at the NAT device as to a compliance status of a target device within the NAT environment, the query including an identifier of the target device;

determining compliance status of the target device within the NAT environment based on the non-compliance data and the identifier of the target device; and

responsive to determining a status of non-compliance for the target device within the NAT environment, reporting an identifier of the NAT device to an upstream client compliancy system indicating non-compliance of the NAT device.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for implementing client compliancy in a network address translation (NAT) environment are disclosed. Network appliances (e.g., NAT hubs, routers, switches, and other NAT devices) actively cooperate with client compliance strategies by engaging in the compliance evaluation of the hosts connected to it, and interact with the up-stream compliance mechanism. As such, devices normally hidden behind a NAT device from the upstream network can participate in the compliance scheme in a more meaningful way.

Citations

20 Claims

1. A method for enforcing client compliance in a network address translation (NAT) environment on a network, comprising:
- storing non-compliance data in a NAT device, the non-compliance data including identifiers of non-compliant devices within the NAT environment behind the NAT device;
  
  receiving a query at the NAT device as to a compliance status of a target device within the NAT environment, the query including an identifier of the target device;
  
  determining compliance status of the target device within the NAT environment based on the non-compliance data and the identifier of the target device; and
  
  responsive to determining a status of non-compliance for the target device within the NAT environment, reporting an identifier of the NAT device to an upstream client compliancy system indicating non-compliance of the NAT device.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1 further comprising:
    - in response to determining that the target device is compliant, assigning the target device to a protected network coupled to the NAT device.
  - 3. The method of claim 1 further comprising:
    - in response to determining that the target device is non-compliant, assigning the target device to a quarantined network coupled to the NAT device; and
      
      taking remedial steps to eliminate non-compliancy.
  - 4. The method of claim 1 wherein the NAT device has VLAN capability for segregating compliant and non-compliant devices.
  - 5. The method of claim 1 wherein non-compliance data is received at least one of periodically according to a predetermined schedule and on a real-time basis as non-compliances are detected.
  - 6. The method of claim 1 wherein determining compliance status of the target device includes comparing the identifier included in the query against identifiers in a database included in the NAT device.
  - 7. The method of claim 1 wherein the query is sent by the target device itself as part of a self-policing compliance scheme.
  - 8. The method of claim 7 wherein the self-policing compliance scheme further includes removing the identifier of the target device from a NAT device database responsive to a determination that the target device has put itself in compliance with security policies of the network.
  - 9. The method of claim 8 wherein in response to non-compliance of the target device subsequently being detected, re-admitting the target device'"'"'s identifier to the NAT device database.
  - 10. The method of claim 1 wherein the identifiers of non-compliant devices are network addresses including at least one of MAC and IP addresses.
  - 11. The method of claim 1 wherein the upstream client compliancy system stores non-compliance data including identifiers of non-compliant devices from among the NAT device and other client devices outside the NAT environment.

12. A machine-readable medium encoded with instructions, that when executed by a processor, cause the processor to carry out a process for enforcing client compliance in a network address translation (NAT) environment on a network, the process comprising:
- storing non-compliance data in a NAT device, the non-compliance data including identifiers of non-compliant devices within the NAT environment behind the NAT device;
  
  receiving a query at the NAT device as to a compliance status of a target device within the NAT environment, the query including an identifier of the target device;
  
  determining compliance status of the target device within the NAT environment based on the non-compliance data and the identifier of the target device; and
  
  responsive to determining a status of non-compliance for the target device within the NAT environment, reporting an identifier of the NAT device to an upstream client compliancy system indicating non-compliance of the NAT device.
- View Dependent Claims (13, 14, 15)
- - 13. The machine-readable medium of claim 12, the process further comprising:
    - in response to determining that the target device is compliant, assigning the target device to a protected network coupled to the NAT device.
  - 14. The machine-readable medium of claim 12, the process further comprising:
    - in response to determining that the target device is non-compliant, assigning the target device to a quarantined network coupled to the NAT device; and
      
      taking remedial steps to eliminate non-compliancy.
  - 15. The machine-readable medium of claim 14, further comprising:
    - removing the target device from a NAT device database in response to completing the remedial steps to eliminate the non-compliancy.

16. A network address translation (NAT) device for enforcing client compliance on a network, comprising:
- a processor;
  
  a memory comprising a database for storing non-compliance data, the non-compliance data including identifiers of non-compliant devices within the NAT environment behind the NAT device; and
  
  a computer readable storage medium storing program code executable by the processor, the program code including a compliance verification component that when executed causes the processor to perform steps including;
  
  receiving a query as to a compliance status of a target device within the NAT environment, the query including an identifier of the target device;
  
  determining compliance status of the target device within the NAT environment based on the non-compliance data stored in the database and the identifier of the target device; and
  
  responsive to determining a status of non-compliance for the target device within the NAT environment, reporting an identifier of the NAT device to an upstream client compliancy system indicating non-compliance of the NAT device.
- View Dependent Claims (17, 18, 19, 20)
- - 17. The device of claim 16 wherein the NAT device is further configured with VLAN capability for segregating compliant and non-compliant devices.
  - 18. The device of claim 16 wherein determining compliance status of the target device by the compliance verification component includes comparing the identifier included in the query against identifiers in the database.
  - 19. The device of claim 16, wherein the compliance verification component further includes program code that when executed cause the processor to perform steps of:
    - assigning the target device to a quarantined network coupled to the NAT device in response to determining that the target device is non-compliant; and
      
      taking remedial steps to eliminate non-compliancy.
  - 20. The device of claim 19, wherein the compliance verification component further includes program code that when executed cause the processor to perform a step of:
    - removing the target device from a NAT device database in response to completing the remedial steps to eliminate the non-compliancy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Sobel, William E., McCorkendale, Bruce
Primary Examiner(s)
COLIN, CARL G

Application Number

US11/271,610
Publication Number

US 20060075140A1
Time in Patent Office

1,609 Days
Field of Search

726 22- 27
US Class Current

726/27
CPC Class Codes

H04L 61/2514   between local and global IP...

H04L 61/5014   using dynamic host configur...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

Client compliancy in a NAT environment

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Client compliancy in a NAT environment

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links