Automated environmental policy awareness

US 7,904,940 B1
Filed: 11/12/2004
Issued: 03/08/2011
Est. Priority Date: 11/12/2004
Status: Active Grant

First Claim

Patent Images

1. A method of configuring a device operating in a network environment, comprising:

receiving a network policy from a policy authority that is an entity other than the device, and that is configured to send one or more network policies to one or more devices operating in the network environment, wherein the network environment is one of a plurality of network environments in which the device is configured to operate;

classifying the network policy based on a trust level of the policy authority, wherein the trust level of the policy authority is established by decrypting a digital signature associated with the network policy using a public key to obtain an identifier associated with the policy authority and comparing the identifier to a list of known policy authorities, and wherein the classification is one of a plurality of classifications each associated with a corresponding one of the plurality of network environments;

determining a local policy according to the classification, wherein the local policy is one of a plurality of local policies, each local policy in the plurality corresponding to an associated one of the plurality of network environments; and

determining a device configuration change to comply with the network policy in accordance with the local policy by merging the received network policy with the determined local policy.

View all claims

3 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Configuring a device operating in a network environment comprises receiving a network policy from a policy authority, classifying the network policy based on the identity of the policy authority, determining a local policy according to the classification, and determining a device configuration change to comply with the network policy in accordance with the local policy. Configuring a device joining a network environment includes detecting that a device has joined the network environment, sending a network policy from a policy authority to the device, the network policy including authentication information for the policy authority, and notifying the presence of the device to a policy monitor.

Citations

33 Claims

1. A method of configuring a device operating in a network environment, comprising:
- receiving a network policy from a policy authority that is an entity other than the device, and that is configured to send one or more network policies to one or more devices operating in the network environment, wherein the network environment is one of a plurality of network environments in which the device is configured to operate;
  
  classifying the network policy based on a trust level of the policy authority, wherein the trust level of the policy authority is established by decrypting a digital signature associated with the network policy using a public key to obtain an identifier associated with the policy authority and comparing the identifier to a list of known policy authorities, and wherein the classification is one of a plurality of classifications each associated with a corresponding one of the plurality of network environments;
  
  determining a local policy according to the classification, wherein the local policy is one of a plurality of local policies, each local policy in the plurality corresponding to an associated one of the plurality of network environments; and
  
  determining a device configuration change to comply with the network policy in accordance with the local policy by merging the received network policy with the determined local policy.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method as recited in claim 1, wherein classifying the network policy includes determining an identity of the policy authority.
  - 3. The method as recited in claim 1, wherein classifying the network policy includes determining that the policy authority is a trusted and known policy authority.
  - 4. The method as recited in claim 1, wherein classifying the network policy includes determining that the policy authority is a trusted and unknown policy authority.
  - 5. The method as recited in claim 1, wherein classifying the network policy includes determining that the policy authority is a distrusted policy authority.
  - 6. The method as recited in claim 1, wherein the network policy includes authentication information.
  - 7. The method as recited in claim 1, wherein the network policy includes a cryptographic signature.
  - 8. The method as recited in claim 1, wherein classifying the network policy includes determining the trust level associated with the policy authority, and the local policy is determined based on the trust level.
  - 9. The method as recited in claim 1, wherein the local policy is associated with the network environment.
  - 10. The method as recited in claim 1, further comprising providing feedback about the device configuration change to a user.
  - 11. The method as recited in claim 1, wherein the device configuration change is adjustable by a user.

12. A device operating in a network, comprising:
- at least one processor configured to;
  
  receive a network policy from a policy authority that is an entity other than the device, and that is configured to send one or more network policies to one or more devices operating in the network environment, wherein the network environment is one of a plurality of network environments in which the device is configured to operate;
  
  classify the network policy based on a trust level of the policy authority, wherein the trust level of the policy authority is established by decrypting a digital signature associated with the network policy using a public key to obtain an identifier associated with the policy authority and comparing the identifier to a list of known policy authorities, and wherein the classification is one of a plurality of classifications each associated with a corresponding one of the plurality of network environments;
  
  determine a local policy according to the classification, wherein the local policy is one of a plurality of local policies, each local policy in the plurality corresponding to an associated one of the plurality of network environments; and
  
  determine a device configuration change to comply with the network policy in accordance with the local policy by merging the received network policy with the determined local policy; and
  
  a memory coupled to the at least one processor, configured to provide the at least one processor with instructions.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The device as recited in claim 12, wherein classifying the network policy includes determining an identity of the policy authority.
  - 14. The device as recited in claim 12, wherein classifying the network policy includes determining that the policy authority is a trusted and known policy authority.
  - 15. The device as recited in claim 12, wherein classifying the network policy includes determining that the policy authority is a trusted and unknown policy authority.
  - 16. The device as recited in claim 12, wherein classifying the network policy includes determining that the policy authority is a distrusted policy authority.
  - 17. The device as recited in claim 12, wherein the network policy includes authentication information.
  - 18. The device as recited in claim 12, wherein the network policy includes a cryptographic signature.
  - 19. The device as recited in claim 12, wherein classifying the network policy includes determining the trust level associated with the policy authority, and the local policy is determined based on the trust level.
  - 20. The device as recited in claim 12, wherein the local policy is associated with the network environment.
  - 21. The device as recited in claim 12, wherein the processor is further configured to provide feedback about the device configuration change to a user.
  - 22. The device as recited in claim 12, wherein the processor is further configured to allow a user to adjust the device configuration change.

23. A non-transitory computer readable storage medium that stores a computer program product for configuring a device operating in a network environment, the computer program product comprising computer instructions for:
- receiving a network policy from a policy authority that is an entity other than the device, and that is configured to send one or more network policies to one or more devices operating in the network environment, wherein the network environment is one of a plurality of network environments in which the device is configured to operate;
  
  classifying the network policy based on a trust level of the policy authority, wherein the trust level of the policy authority is established by decrypting a digital signature associated with the network policy using a public key to obtain an identifier associated with the policy authority and comparing the identifier to a list of known policy authorities, and wherein the classification is one of a plurality of classifications each associated with a corresponding one of the plurality of network environments;
  
  determining a local policy according to the classification, wherein the local policy is one of a plurality of local policies, each local policy in the plurality corresponding to an associated one of the plurality of network environments;
  
  determining a device configuration change to comply with the network policy in accordance with the local policy by merging the received network policy with the determined local policy.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33)
- - 24. The non-transitory computer readable storage medium as recited in claim 23, wherein classifying the network policy includes determining an identity of the policy authority.
  - 25. The non-transitory computer readable storage medium as recited in claim 23, wherein classifying the network policy includes determining that the policy authority is a trusted and known policy authority.
  - 26. The non-transitory computer readable storage medium as recited in claim 23, wherein classifying the network policy includes determining that the policy authority is a trusted and unknown policy authority.
  - 27. The non-transitory computer readable storage medium as recited in claim 23, wherein classifying the network policy includes determining that the policy authority is a distrusted policy authority.
  - 28. The non-transitory computer readable storage medium as recited in claim 23, wherein the network policy includes authentication information.
  - 29. The non-transitory computer readable storage medium as recited in claim 23, wherein the network policy includes a cryptographic signature.
  - 30. The non-transitory computer readable storage medium as recited in claim 23, wherein classifying the network policy includes determining the trust level associated with the policy authority, and the local policy is determined based on the trust level.
  - 31. The non-transitory computer readable storage medium as recited in claim 23, wherein the local policy is associated with the network environment.
  - 32. The non-transitory computer readable storage medium as recited in claim 23, further comprising providing feedback about the device configuration change to a user.
  - 33. The non-transitory computer readable storage medium as recited in claim 23, wherein the device configuration change is adjustable by a user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
CA, Inc. (d/b/a CA Technologies) (Broadcom, Inc.)
Original Assignee
Symantec Corporation (NortonLifeLock Inc.)
Inventors
Bennett, Jeremy, Hernacki, Brian
Primary Examiner(s)
Moazzami; Nasser
Assistant Examiner(s)
ABEDIN, SHANTO

Application Number

US10/987,438
Time in Patent Office

2,307 Days
Field of Search

726/1, 726/2, 726/11, 726/13, 726/26, 726/14, 726/23, 709/229, 709223-225, 713/100, 713/152, 713/166
US Class Current

726/1
CPC Class Codes

G06F 21/57   Certifying or maintaining t...

G06F 2221/2101   Auditing as a secondary aspect

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/20   for managing network securi...

H04L 67/303   Terminal profiles

H04L 67/34   involving the movement of s...

Automated environmental policy awareness

First Claim

3 Assignments

0 Petitions

Accused Products

Abstract

Citations

33 Claims

Specification

Solutions

Use Cases

Quick Links

Automated environmental policy awareness

First Claim

3 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

33 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links