Network defense system utilizing endpoint health indicators and user identity
First Claim
1. A system comprising:
- one or more network resources coupled to a network;
an endpoint device coupled to the network that provides a user access to the network resources;
an agent that generates health information that represents a security state of the endpoint device, wherein the agent comprises a software module executing on the endpoint device;
a controller that receives from the endpoint device identification information associated with the user and the health information generated by the agent, wherein the controller includes an authentication engine that authenticates the user and identifies a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to a membership in a group of users, wherein the controller includes a plurality of policies specifying roles that are to be excluded upon failure of health indicators, and wherein the controller generates access control information by applying the policies with the authentication engine to restrict the roles defined for the user by excluding a subset of the identified roles based on the health information of the endpoint device; and
a protection device coupled to the network, wherein the protection device provides access to the network resources by the endpoint in accordance with the non-excluded roles identified for the user.
12 Assignments
0 Petitions
Accused Products
Abstract
An endpoint defense system uses endpoint health indicators and user identity information to provide fine-grain access control over network resources. For example, the endpoint defense system may include a controller, a set of protection devices, and a set of agents. The agents are software applications installed on a set of endpoints to gather the health information that represents security states of the endpoint devices. The agents send updated health information to the controller. In response to a login attempt, the controller processes the health indicators and identity information through a set of administrator-defined policies to generate a set of access rights. The controller transfers the set of access rights to the protection devices. The protection devices then control user access to network resources according to the set of access rights. The controller sends updated sets of access rights to the protection devices whenever the access rights change.
195 Citations
41 Claims
-
1. A system comprising:
-
one or more network resources coupled to a network; an endpoint device coupled to the network that provides a user access to the network resources; an agent that generates health information that represents a security state of the endpoint device, wherein the agent comprises a software module executing on the endpoint device; a controller that receives from the endpoint device identification information associated with the user and the health information generated by the agent, wherein the controller includes an authentication engine that authenticates the user and identifies a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to a membership in a group of users, wherein the controller includes a plurality of policies specifying roles that are to be excluded upon failure of health indicators, and wherein the controller generates access control information by applying the policies with the authentication engine to restrict the roles defined for the user by excluding a subset of the identified roles based on the health information of the endpoint device; and a protection device coupled to the network, wherein the protection device provides access to the network resources by the endpoint in accordance with the non-excluded roles identified for the user. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 39)
-
-
18. A method comprising:
-
receiving, with a controller, identity information for a user attempting to access a network via an endpoint device; authenticating the user; upon authenticating the user, identifying a plurality of roles defined for the user, wherein each role of the plurality of roles corresponds to membership in a group of users; receiving, from the endpoint device, health information generated by a software module executing on the endpoint device, wherein the health information represents a security state of the endpoint device; based on a failure of a health indicator within the health information, restricting, with the controller, the plurality of roles defined for the user by applying one or more of policies to exclude a subset of the plurality of roles defined for the user; generating access control information based on the restricted roles for the user; and applying the access control information to provide access to the network resources in accordance with the non-excluded roles defined for the user. - View Dependent Claims (19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 40, 41)
-
-
38. A non-transitory computer-readable storage medium having program code encoded thereon comprising instructions that, when executed, cause a programmable processor to:
-
receive identity information for a user attempting to access a network via an endpoint device; receive, from the endpoint device, health information generated by a software module executing on the endpoint device to collect health information about the endpoint device; authenticate the identity information; identify a plurality of roles defined for the user, wherein each role of the set of roles corresponds to membership in a group of users; modify a set of roles for the user based on a failure of a health indicator within the health information about the endpoint device by applying one or more of policies to exclude a subset of the plurality of roles defined for the user; assign access rights to the user based on the modified roles; and permit the user to access network resources in accordance with non-excluded roles defined for the user.
-
Specification