System and method of network endpoint security

US 7,793,338 B1
Filed: 10/21/2004
Issued: 09/07/2010
Est. Priority Date: 10/21/2004
Status: Expired due to Fees

First Claim

Patent Images

1. An endpoint security system configured to reside on a quarantined virtual local area network and to manage the connection of a host to either the quarantined virtual local area network or to a non-quarantined virtual area network based on a security assessment of the added host, the endpoint security system comprising:

a security scanner configured to perform a security assessment on the host;

a dynamic host configuration protocol server configured to assign Internet Protocol addresses to hosts added to the quarantined virtual local area network; and

an endpoint security agent configured to;

extract, from at least one packet sent by the dynamic host configuration protocol server, an Internet Protocol address that has been assigned to a host added to the quarantined virtual local area network;

forward the extracted Internet Protocol address to the security scanner and cause the security scanner to perform a security assessment on the added host by scanning the added host, wherein the security scanner is located on a security engine on which the endpoint security agent is located;

receive the security assessment; and

cause a switch to connect the added host to the non-quarantined virtual local area network if, based on the security assessment of the added host, the added host is deemed to be a secure host.

View all claims

11 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system and a method enhance endpoint security of a computer network. The system and method generate security assessments of hosts on quarantined and non-quarantined networks. Based on the generated security assessments, secure hosts are connected to the non-quarantined network and non-secure or vulnerable hosts are connected to the quarantined network. A remediation engine assists with fixing vulnerabilities of the hosts on the quarantined network. Endpoint security agents, security scanners, and remediation engines that carry out the foregoing functions reside on each of the quarantined and non-quarantined networks on hosts that are different from the target hosts. Under such an architecture, the endpoint security system can advantageously be operating system agnostic and can provide complete and powerful endpoint security for targeted hosts without being installed on each individual targeted host. Alternatively, endpoint security agents, security scanners, and remediation agents can reside partially or wholly on one or more target hosts.

Citations

22 Claims

1. An endpoint security system configured to reside on a quarantined virtual local area network and to manage the connection of a host to either the quarantined virtual local area network or to a non-quarantined virtual area network based on a security assessment of the added host, the endpoint security system comprising:
- a security scanner configured to perform a security assessment on the host;
  
  a dynamic host configuration protocol server configured to assign Internet Protocol addresses to hosts added to the quarantined virtual local area network; and
  
  an endpoint security agent configured to;
  
  extract, from at least one packet sent by the dynamic host configuration protocol server, an Internet Protocol address that has been assigned to a host added to the quarantined virtual local area network;
  
  forward the extracted Internet Protocol address to the security scanner and cause the security scanner to perform a security assessment on the added host by scanning the added host, wherein the security scanner is located on a security engine on which the endpoint security agent is located;
  
  receive the security assessment; and
  
  cause a switch to connect the added host to the non-quarantined virtual local area network if, based on the security assessment of the added host, the added host is deemed to be a secure host.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The endpoint security system of claim 1, wherein the security assessment is performed based, at least in part, on whether the host is vulnerable to a number of known viruses and on which ports of the host are open.
  - 3. The endpoint security system of claim 2, wherein the system is operable such that a remediation engine is configured to help fix at least one vulnerability of the vulnerable host by accessing the vulnerable host and executing an application that points a user to at least one resource for fixing the at least one vulnerability.
  - 4. The endpoint security system of claim 3, wherein the application includes a web browser.
  - 5. The endpoint security system of claim 3, wherein the at least one resource includes a patch management system.
  - 6. The endpoint security system of claim 3, wherein the remediation engine is configured to help fix the at least one vulnerability of the vulnerable host by causing a web browser launched by the user on the vulnerable host to be redirected to the at least one resource for fixing the at least one vulnerability.
  - 7. The endpoint security system of claim 3, wherein the remediation engine manages all remedial measures without receiving direction from the security engine.
  - 8. The endpoint security system of claim 1, wherein the security scanner is further configured to periodically generate a follow-up security assessment of a quarantined host and wherein the endpoint security agent is further configured to receive each follow-up security assessment and to cause the switch to connect the quarantined host to a non-quarantined virtual local area network if, based on at least one follow-up security assessment, the quarantined host is deemed to be a secure host.
  - 9. The endpoint security system of claim 1, further comprising causing the switch to direct a connection of the host to the quarantined virtual local area network if, based on at least a portion of the security assessment, the host is deemed to be a vulnerable host.
  - 10. The endpoint security system of claim 9, wherein causing the switch to direct the connection of the host to the quarantined virtual local area network includes leaving the host connected to the quarantined virtual local area network if the host is already connected to the quarantined virtual local area network.
  - 11. The endpoint security system of claim 1, wherein a remediation of at least one vulnerability of the host is managed.

12. A method, comprising:
- performing, by a security scanner, a security assessment on a host; and
  
  assigning, by a dynamic host configuration protocol server, Internet Protocol addresses to hosts added to a quarantined virtual local area network;
  
  extracting, by an endpoint security agent, from at least one, packet sent by the dynamic host configuration protocol server, an Internet Protocol address that has been assigned to a host added to the quarantined virtual local area network;
  
  forwarding, by the endpoint security agent, the extracted Internet Protocol address to the security scanner and cause the security scanner to perform a security assessment on the added host by scanning the added host, wherein the security scanner is located on a security engine on which the endpoint security agent is located;
  
  receiving, by the endpoint security agent, the security assessment; and
  
  causing, by the endpoint security agent, a switch to connect the added host to a non-quarantined virtual local area network if, based on the security assessment of the added host, the added host is deemed to be a secure host.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The method of claim 12, wherein the security assessment is performed based, at least in part, on whether the host is vulnerable to a number of known viruses and on which ports of the host are open.
  - 14. The method of claim 12, wherein the security scanner is further configured to periodically generate a follow-up security assessment of a quarantined host and wherein the endpoint security agent is further configured to receive each follow-up security assessment and to cause the switch to connect the quarantined host to a non-quarantined virtual local area network if, based on at least one follow-up security assessment, the quarantined host is deemed to be a secure host.
  - 15. The method of claim 12, wherein a remediation engine is configured to help fix at least one vulnerability of the vulnerable host by accessing the vulnerable host and executing an application that points a user to at least one resource for fixing the at least one vulnerability.
  - 16. The method of claim 15, wherein the application includes a web browser.
  - 17. The method of claim 15, wherein the at least one resource includes a patch management system.
  - 18. The method of claim 15, wherein the remediation engine is configured to help fix the at least one vulnerability of the vulnerable host by causing a web browser launched by the user on the vulnerable host to be redirected to the at least one resource for fixing the at least one vulnerability.
  - 19. The method of claim 15, wherein the remediation engine manages all remedial measures without receiving direction from the security engine.
  - 20. The method of claim 12, further comprising directing a connection of the host to the quarantined virtual local area network if, based on at least a portion of the security assessment, the host is deemed to be a vulnerable host.
  - 21. The method of claim 12, wherein the directing of the connection of the host to the quarantined virtual local area network includes leaving the host connected to the quarantined virtual local area network if the host is already connected to the quarantined virtual local area network.
  - 22. The method of claim 12, wherein a remediation of at least one vulnerability of the host is managed.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
McAfee, LLC
Original Assignee
McAfee, Inc. (McAfee, LLC)
Inventors
McClure, Stuart C., Beddoe, Marshall A.
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
Poltorak; Peter

Application Number

US10/970,033
Time in Patent Office

2,147 Days
Field of Search

726/3, 726 22- 23
US Class Current

726/3
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/1433   Vulnerability analysis

H04L 63/1491   using deception as counterm...

System and method of network endpoint security

First Claim

11 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

System and method of network endpoint security

First Claim

11 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links