Dynamic address assignment for access control on DHCP networks

US 7,890,658 B2
Filed: 08/28/2009
Issued: 02/15/2011
Est. Priority Date: 09/14/2005
Status: Active Grant

First Claim

Patent Images

1. A method of controlling access to a protected network, the method comprising:

receiving first endpoint information from an agent running on an endpoint, the first endpoint information including a MAC address of the endpoint and information characterizing the endpoint;

receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range;

altering the DHCPDISCOVER packet received at the input, the alteration being responsive to the first endpoint information having met requirements of a security assessment;

passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet;

executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment;

receiving second endpoint information from the agent as a result of the agent detecting changes at the endpoint; and

using the second endpoint information in a subsequent security assessment.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Systems and methods of managing security on a computer network are disclosed. The computer network includes a restricted subnet and a less-restricted subnet. Access to the restricted subnet is controlled by a network filter, optionally inserted as a software shim on a DHCP server. In some embodiments, the network filter is configured to manipulate relay IP addresses to control whether the DHCP server provides, in a DHCPOFFER packet, an IP address that can be used to access the restricted subset. In some embodiments, configuration information is communicated between the DHCP server and the network filter via DHCPOFFER packets.

Citations

19 Claims

1. A method of controlling access to a protected network, the method comprising:
- receiving first endpoint information from an agent running on an endpoint, the first endpoint information including a MAC address of the endpoint and information characterizing the endpoint;
  
  receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range;
  
  altering the DHCPDISCOVER packet received at the input, the alteration being responsive to the first endpoint information having met requirements of a security assessment;
  
  passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet;
  
  executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment;
  
  receiving second endpoint information from the agent as a result of the agent detecting changes at the endpoint; and
  
  using the second endpoint information in a subsequent security assessment.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, wherein the restricted IP range and the less restricted IP range represent different subnets.
  - 3. The method of claim 1, wherein the restricted IP range and the less restricted IP range are included in a same subnet.
  - 4. The method of claim 1, further comprising setting an access control list to allow access to the restricted subnet for a packet that includes the IP address associated with the restricted subnet and to prevent access to the restricted subnet for a packet that includes the IP address associated with the less restricted subnet.
  - 5. The method of claim 1, wherein the security assessment includes a requirement that an antivirus program is current.
  - 6. The method of claim 1, wherein the security assessment includes a requirement concerning a specific operating system version.
  - 7. The method of claim 1, wherein the security assessment includes a requirement concerning a specific operating system patch.
  - 8. The method of claim 1, wherein the security assessment includes a requirement concerning monitoring devices connected to the endpoint.
  - 9. The method of claim 1, further comprising updating the endpoint software using a command sent to the agent.
  - 10. The method of claim 9, further comprising remotely updating the agent.
  - 11. The method of claim 9, wherein the security assessment includes a requirement concerning a specific operating system.
  - 12. The method of claim 11, wherein the security assessment includes a requirement concerning a specific operating system patch.
  - 13. The method of claim 11, wherein the security assessment includes a requirement that an antivirus program is current.

14. A method of controlling access to a protected network, the method comprising:
- receiving endpoint information from an agent running on an endpoint, the endpoint information including a MAC address of the endpoint and information characterizing the endpoint;
  
  receiving a DHCPDISCOVER packet with the MAC address of the endpoint at an input of a DHCP server via a router, the router including an access control list characterizing a restricted subnet of the protected network, the restricted subnet accessible to endpoints with an IP address in a first address range but not accessible to endpoints with an IP address in a second address range;
  
  altering the DHCPDISCOVER packet received at the input by including a DHCP option with a value, the value being responsive to the endpoint information having met requirements of a security assessment;
  
  passing the altered DHCPDISCOVER packet to a processor configured to execute computing instructions for generating a DHCPOFFER packet;
  
  executing the computing instructions, wherein execution of the computing instructions by the processor generates the DHCPOFFER packet responsive to the alteration made in the DHCPDISCOVER packet, the DHCPOFFER packet including an IP address associated with the first address range if the endpoint information has met the requirements of the security assessment, the DHCPOFFER packet including an IP address associated with the second address range if the endpoint information has not met the requirements of the security assessment.
- View Dependent Claims (15, 16, 17, 18, 19)
- - 15. The method of claim 14, further comprising receiving second endpoint information from the agent as a result of the agent detecting changes at the endpoint and using the second endpoint information in a subsequent security assessment.
  - 16. The method of claim 15, further comprising updating the endpoint software using a command sent to the agent.
  - 17. The method of claim 16, further comprising remotely updating the agent.
  - 18. The method of claim 16, wherein the security assessment includes a requirement that a antivirus program is current.
  - 19. The method of claim 16, wherein the security assessment includes a requirement concerning a specific operating system patch.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
InfoExpress, Inc.
Original Assignee
InfoExpress, Inc.
Inventors
Lum, Stacey C.
Primary Examiner(s)
JEAN GILLES, JUDE

Application Number

US12/550,321
Publication Number

US 20100005506A1
Time in Patent Office

536 Days
Field of Search

709/245, 709/201, 709/228, 709/229, 709/226, 709/220, 709/225, 709/223
US Class Current

709/245
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/0236   Filtering by address, proto...

H04L 63/101   Access control lists [ACL]

Dynamic address assignment for access control on DHCP networks

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Dynamic address assignment for access control on DHCP networks

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links