Network defense system utilizing endpoint health indicators and user identity

US 8,001,610 B1
Filed: 09/28/2005
Issued: 08/16/2011
Est. Priority Date: 09/28/2005
Status: Active Grant

First Claim

Patent Images

1. A system comprising:

one or more network resources coupled to a network;

an endpoint device coupled to the network that provides a user access to the network resources;

an agent that generates health information that represents a security state of the endpoint device, wherein the agent comprises a software module executing on the endpoint device;

a controller that receives from the endpoint device identification information associated with the user and the health information generated by the agent, wherein the controller includes an authentication engine that authenticates the user and identifies a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to a membership in a group of users, wherein the controller includes a plurality of policies specifying roles that are to be excluded upon failure of health indicators, and wherein the controller generates access control information by applying the policies with the authentication engine to restrict the roles defined for the user by excluding a subset of the identified roles based on the health information of the endpoint device; and

a protection device coupled to the network, wherein the protection device provides access to the network resources by the endpoint in accordance with the non-excluded roles identified for the user.

View all claims

12 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An endpoint defense system uses endpoint health indicators and user identity information to provide fine-grain access control over network resources. For example, the endpoint defense system may include a controller, a set of protection devices, and a set of agents. The agents are software applications installed on a set of endpoints to gather the health information that represents security states of the endpoint devices. The agents send updated health information to the controller. In response to a login attempt, the controller processes the health indicators and identity information through a set of administrator-defined policies to generate a set of access rights. The controller transfers the set of access rights to the protection devices. The protection devices then control user access to network resources according to the set of access rights. The controller sends updated sets of access rights to the protection devices whenever the access rights change.

195 Citations

41 Claims

1. A system comprising:
- one or more network resources coupled to a network;
  
  an endpoint device coupled to the network that provides a user access to the network resources;
  
  an agent that generates health information that represents a security state of the endpoint device, wherein the agent comprises a software module executing on the endpoint device;
  
  a controller that receives from the endpoint device identification information associated with the user and the health information generated by the agent, wherein the controller includes an authentication engine that authenticates the user and identifies a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to a membership in a group of users, wherein the controller includes a plurality of policies specifying roles that are to be excluded upon failure of health indicators, and wherein the controller generates access control information by applying the policies with the authentication engine to restrict the roles defined for the user by excluding a subset of the identified roles based on the health information of the endpoint device; and
  
  a protection device coupled to the network, wherein the protection device provides access to the network resources by the endpoint in accordance with the non-excluded roles identified for the user.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 39)
- - 2. The system of claim 1, wherein the controller generates the access control information as a function of the user of the endpoint device, the security state of the endpoint device used by the user, and the network resource that the user attempts to access.
  - 3. The system of claim 1, wherein the access control information specifies actions to apply to communications from the endpoint device.
  - 4. The system of claim 1, wherein the access control information specifies different actions to be applied for different security states of the endpoint device.
  - 5. The system of claim 1, wherein the access control information specifies different actions to be applied for different network resources.
  - 6. The system of claim 1, wherein the access control information specifies different actions to be applied for different roles of users.
  - 7. The system of claim 1, wherein the health information specifies whether the endpoint device possesses a characteristic detectable by a software module.
  - 8. The system of claim 1, wherein the controller comprises a verification engine to verify the identification information.
  - 9. The system of claim 1, further comprising:
    - a protection device policy table that specifies actions to be applied by the protection device to communications for different combinations of roles and network resources; and
      
      an address map that maps to a network address to a set of roles associated with an endpoint,wherein a protection device uses the protection device policy table and the address map to determine which resources may be accessed by an endpoint.
  - 10. The system of claim 1, wherein the agent generates the health information in response to a change to the security state of the endpoint device.
  - 11. The system of claim 1, wherein the agent generates the health information at the time the user attempts to access the network resources.
  - 12. The system of claim 1, wherein the defense agent generates the health information according to a defined time interval.
  - 13. The system of claim 1, wherein the agent provides an interface by which the user brings the endpoint device into compliance with a set of network policies.
  - 14. The system of claim 13, wherein the interface prompts the user to update applications on the endpoint device.
  - 15. The system of claim 1, wherein the agent includes a personal firewall executing on the endpoint device, and wherein the controller configures the personal firewall to control outbound network packets from the endpoint device.
  - 16. The system of claim 1, wherein the endpoint device communicates with the protection device using a secure network protocol.
  - 17. The system of claim 1, wherein the protection device is coupled to the network between the endpoint device and the set of network resources.
  - 39. The system of claim 1,wherein the health information generated by the agent of the endpoint device comprises a report listing specifying that the endpoint fails one or more of a plurality of health indicators;
    - andwherein the protection device controls access by limiting access to a reduced subset of the network resources.

18. A method comprising:
- receiving, with a controller, identity information for a user attempting to access a network via an endpoint device;
  
  authenticating the user;
  
  upon authenticating the user, identifying a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to membership in a group of users;
  
  receiving, from the endpoint device, health information generated by a software module executing on the endpoint device, wherein the health information represents a security state of the endpoint device;
  
  based on a failure of a health indicator within the health information, restricting, with the controller, the plurality of roles defined for the user by applying one or more of policies to exclude a subset of the plurality of roles defined for the user;
  
  generating access control information based on the restricted roles for the user; and
  
  applying the access control information to provide access to the network resources in accordance with the non-excluded roles defined for the user.
- View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 40, 41)
- - 19. The method of claim 18, wherein the access control information specifies actions to apply to communications from the endpoint device.
  - 20. The method of claim 18, wherein generating access control information further comprises generating access control information as a function of the user, the health information of the endpoint device used by the user, and a specific network resource that the user attempts to access.
  - 21. The method of claim 18, wherein the access control information specifies different actions to be applied for different security states of the endpoint device.
  - 22. The method of claim 18, wherein the access control information specifies different actions to be applied for different network resources.
  - 23. The method of claim 18, wherein the access control information specifies different actions to be applied for different roles of users.
  - 24. The method of claim 18, wherein the health information specifies whether the endpoint device contains a virus.
  - 25. The method of claim 18, wherein the health information specifies whether a required software application is installed on the endpoint device.
  - 26. The method of claim 18, wherein the health information specifies whether a required software process is executing on the endpoint device.
  - 27. The method of claim 18, further comprising verifying the identity information.
  - 28. The method of claim 18, further comprising:
    - mapping the identity information and health indicators to the roles; and
      
      specifying actions to be applied to network communications for different combinations of the roles and the network resources.
  - 29. The method of claim 28, wherein controlling access to the network resources comprises applying the actions to network communications sent to the network resources.
  - 30. The method of claim 28, wherein mapping the identity information comprises entering mappings of identity information to the roles in a database.
  - 31. The method of claim 18, further comprising configuring a personal firewall installed on the endpoint device with the software module to control network communications from the endpoint device.
  - 32. The method of claim 18, wherein generating the health information comprises generating the health information in response to a change to a security state of the endpoint device.
  - 33. The method of claim 18, wherein generating the health information comprises generating the health information at the time the user attempts to access the network resources.
  - 34. The method of claim 18, wherein generating the health information comprises generating the health information according to a defined time interval.
  - 35. The method of claim 18, further comprising providing an interface by which the user brings the endpoint device into compliance with a set of network policies.
  - 36. The method of claim 35, wherein providing the interface comprises prompting the user to update applications on the endpoint device.
  - 37. The method of claim 18, wherein the protection device is coupled to the network between the endpoint device and the set of network resources.
  - 40. The method of claim 18,wherein generating health information further comprises generating a report listing whether the endpoint passes or fails each of a plurality of health indicators, wherein the endpoint device used by the user fails one or more of the health indicators;
    - andwherein applying access control information to control access to the network resources permits access to a reduced subset of network resources.
  - 41. The method of claim 18,wherein the health information comprises a report listing whether the endpoint passes or fails a set of health indicators, wherein the endpoint device used by the user passes all of the health indicators;
    - andwherein applying access control information to control access to the network resources does not further limit access to the network resources.

38. A non-transitory computer-readable storage medium having program code encoded thereon comprising instructions that, when executed, cause a programmable processor to:
- receive identity information for a user attempting to access a network via an endpoint device;
  
  receive, from the endpoint device, health information generated by a software module executing on the endpoint device to collect health information about the endpoint device;
  
  authenticate the identity information;
  
  identify a plurality of roles defined for the user, wherein each role of the set of roles corresponds to membership in a group of users;
  
  modify a set of roles for the user based on a failure of a health indicator within the health information about the endpoint device by applying one or more of policies to exclude a subset of the plurality of roles defined for the user;
  
  assign access rights to the user based on the modified roles; and
  
  permit the user to access network resources in accordance with non-excluded roles defined for the user.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Pulse Secure, LLC (Ivanti Software, Inc.)
Original Assignee
Juniper Networks Incorporated
Inventors
Srinivas, Sampath, Liu, Timothy, Chickering, Roger
Primary Examiner(s)
Smithers; Matthew B
Assistant Examiner(s)
SHOLEMAN, ABU S

Application Number

US11/236,987
Time in Patent Office

2,148 Days
Field of Search

726/11, 726/25, 726 1- 2, 726/4, 726 22- 27, 726/28, 726/29, 713/201, 713182-186, 709223-226
US Class Current

726/27
CPC Class Codes

G06F 21/00   Security arrangements for p...

H04L 63/105   Multiple levels of security

H04L 63/20   for managing network securi...

H04L 67/125   involving control of end-de...

H04L 9/40   Network security protocols

Network defense system utilizing endpoint health indicators and user identity

First Claim

12 Assignments

0 Petitions

Accused Products

Abstract

195 Citations

41 Claims

Specification

Solutions

Use Cases

Quick Links

Network defense system utilizing endpoint health indicators and user identity

First Claim

12 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

195 Citations

41 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links