Methods and apparatus to validate configuration of computerized devices

US 8,024,488 B2
Filed: 03/02/2005
Issued: 09/20/2011
Est. Priority Date: 03/02/2005
Status: Active Grant

First Claim

Patent Images

1. A method, comprising:

providing device configuration data to a device configuration certifier from a device that will seek access to a computer network, where the device configuration data describes a configuration of the device that will seek access to the computer network and a role to be taken by the device while accessing the computer network, and where the device configuration data does not include user identity information;

receiving a device configuration verification credential from the configuration certifier, where the device configuration verification credential confirms that the device configuration conforms with a device configuration policy associated with network security in light of the role to be taken by the device, and where the device configuration verification credential is unrelated to user identity and user authentication;

providing the device configuration verification credential to a network device in data communication with the computer network, where the network device controls access to the computer network based, at least in part, on the device configuration verification credential; and

selectively accessing the computer network upon the network device verifying the device configuration verification credential;

wherein the method is performed by one or more processors.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A system verifies configuration of a device within a network via an exchange of verification credentials, which are requested, received and authenticated. The verification credentials indicate that a configuration of the device was acceptable at the time of creation of the verification credentials for that device. The verification credentials of the device are obtained through a certifying process. During the certifying process, the credential certifier receives a current device configuration of the device in the network, and evaluates the current device configuration of a device with respect to its role within a network. The verification credentials are issued to the requesting device and stored within a database. The device submits its verification credentials if being requested by the other peer it'"'"'s communicating with when it enters the network. It also monitors the current device configuration and if there are changes, it invalidates the existing certification credentials and requests new one.

31 Citations

View as Search Results

18 Claims

1. A method, comprising:
- providing device configuration data to a device configuration certifier from a device that will seek access to a computer network, where the device configuration data describes a configuration of the device that will seek access to the computer network and a role to be taken by the device while accessing the computer network, and where the device configuration data does not include user identity information;
  
  receiving a device configuration verification credential from the configuration certifier, where the device configuration verification credential confirms that the device configuration conforms with a device configuration policy associated with network security in light of the role to be taken by the device, and where the device configuration verification credential is unrelated to user identity and user authentication;
  
  providing the device configuration verification credential to a network device in data communication with the computer network, where the network device controls access to the computer network based, at least in part, on the device configuration verification credential; and
  
  selectively accessing the computer network upon the network device verifying the device configuration verification credential;
  
  wherein the method is performed by one or more processors.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The method of claim 1, comprising authenticating the device configuration verification credential.
  - 3. The method of claim 2, where authenticating the device configuration verification credential comprises:
    - confirming the identity of the device providing the device configuration verification credential;
      
      confirming that the device configuration verification credential has not been modified; and
      
      confirming that the device configuration verification credential has not expired.
  - 4. The method of claim 2, where verifying the device configuration verification credential comprises:
    - confirming that a role sought to be played by the device agrees with the role identified in the device configuration verification credential.
  - 5. The method of claim 1, where the device configuration data comprises a software configuration of the device.
  - 6. The method of claim 1, where the device configuration verification credential comprises data describing a role allowed to be played by the device and data describing a version of a configuration policy used to determine the role.
  - 7. The method of claim 1, comprising:
    - specifying a security level at which the device is allowed to access the computer network, where the security level is based, at least in part, on the device configuration verification credential.

8. An apparatus, comprising:
- a memory;
  
  a processor;
  
  a communications interface; and
  
  an interconnection mechanism coupling the memory, the processor and the communications interface;
  
  where the memory is encoded with a verification application that when executed on the processor produces a verification process that causes a computerized device to perform a method, the method comprising;
  
  requesting a verification credential of a device in a network, where the verification credential was provided to the device at a previous time by a configuration certifier, and where the verification credential depends on a role to be played by the device in the network and by a configuration of the device;
  
  receiving the verification credential from the device; and
  
  authenticating that the verification credential received from the device indicates that the configuration of the device was acceptable at the time of creation of the verification credential.
- View Dependent Claims (9, 10, 11)
- - 9. The apparatus of claim 8,where receiving the verification credential comprises:
    - authenticating the device to determine its identity using a device authentication protocol; and
      
      where authenticating the verification credential comprises;
      
      confirming the verification credential has not been modified since creation by the configuration certifier;
      
      verifying that the validation credential has not expired;
      
      verifying that the validation credential contains the identity of the device;
      
      obtaining a role indication of the device;
      
      comparing the role indication of the device with a role indication specified in the verification credentials to verify the role of the device;
      
      comparing the verification credential with credential revocation information to determine whether the device has been revoked; and
      
      specifying a result of the verification.
  - 10. The apparatus of claim 9, where the configuration certifier comprises:
    - a second memory;
      
      a second processor;
      
      a second communications interfacea second interconnection mechanism coupling the second memory, the second processor and the second communications interfacewhere the second memory is encoded with a certification application that when executed on the second processor causes the second processor to execute a certification method, the certification method comprising;
      
      receiving a current device configuration from the device in the networkevaluating the current device configuration of the device in the network, the evaluation including verifying the configuration of the device with respect to a role of the device within the network and comparing an image of the device against a list of acceptable device configurations;
      
      issuing a verification credential indicating the current configuration of the device at the time of creation of the verification credential for that device which includes transferring the verification credential to the device, the verification credential indicating that the current device configuration is certified at the time of issuance of the verification credential; and
      
      storing the verification credential.
  - 11. The apparatus of claim 10, where evaluating the current device configuration includes:
    - obtaining a role indication of the device specified in the current device configuration;
      
      determining if the role indication is acceptable for the device, andif so;
      
      obtaining the image of the device specified in the current device configuration, the image indicating a software configuration of the device that identifies specific software programs installed within the device; and
      
      for acceptable device configurations that correspond to the role indication of the device, comparing the software configuration of the device to the list of acceptable device configurations for that role to determine if the software configuration is acceptable for that device.

12. A non-transitory computer-readable medium storing one or more sequences of instructions which, when executed by one or more processors, cause the one or more processors to perform:
- providing device configuration data to a device configuration certifier from a device that will seek access to a computer network, where the device configuration data describes a configuration of the device that will seek access to the computer network and a role to be taken by the device while accessing the computer network, and where the device configuration data does not include user identity information;
  
  receiving a device configuration verification credential from the configuration certifier, where the device configuration verification credential confirms that the device configuration conforms with a device configuration policy associated with network security in light of the role to be taken by the device, and where the device configuration verification credential is unrelated to user identity and user authentication;
  
  providing the device configuration verification credential to a network device in data communication with the computer network, where the network device controls access to the computer network based, at least in part, on the device configuration verification credential; and
  
  selectively accessing the computer network upon the network device verifying the device configuration verification credential.
- View Dependent Claims (13, 14, 15, 16, 17, 18)
- - 13. The non-transitory computer-readable medium of claim 12, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform authenticating the device configuration verification credential.
  - 14. The non-transitory computer-readable medium of claim 13, wherein the instructions for performing the authenticating the device configuration verification credential further comprise instructions which, when executed, cause the one or more processors to perform:
    - confirming the identity of the device providing the device configuration verification credential;
      
      confirming that the device configuration verification credential has not been modified; and
      
      confirming that the device configuration verification credential has not expired.
  - 15. The non-transitory computer-readable medium of claim 13, wherein the instructions for performing the verifying the device configuration verification credential further comprise instructions which, when executed, cause the one or more processors to perform confirming that a role sought to be played by the device agrees with the role identified in the device configuration verification credential.
  - 16. The non-transitory computer-readable medium of claim 12, wherein the device configuration data comprises a software configuration of the device.
  - 17. The non-transitory computer-readable medium of claim 12, wherein the device configuration verification credential comprises data describing a role allowed to be played by the device and data describing a version of a configuration policy used to determine the role.
  - 18. The non-transitory computer-readable medium of claim 12, wherein the non-transitory computer-readable storage medium further comprises instructions which, when executed, cause the one or more processors to perform specifying a security level at which the device is allowed to access computer network, wherein the security level is based, at least in part, on the device configuration verification credential.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Zhou, Hao, Salowey, Joseph A.
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
WRIGHT, BRYAN F

Application Number

US11/070,567
Publication Number

US 20060200856A1
Time in Patent Office

2,393 Days
Field of Search

726/5
US Class Current

710/5
CPC Class Codes

H04L 63/126 the source of the received ...

H04L 9/32 including means for verifyi...

Methods and apparatus to validate configuration of computerized devices

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

31 Citations

18 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and apparatus to validate configuration of computerized devices

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

31 Citations

18 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links