Method and system for verification of an endpoint security scan

US 8,024,568 B2
Filed: 10/21/2005
Issued: 09/20/2011
Est. Priority Date: 01/28/2005
Status: Expired due to Fees

First Claim

Patent Images

1. A method of granting a node operated by a user access to resources based on information about the node, comprising:

(a) receiving, by a receiver of a gateway, a request from a node operated by a user to access a resource;

(b) generating, by an agent constructor of the gateway, a scanning agent to gather information about the node;

(c) generating, by a key generator of the gateway, at least one key;

(d) embedding, by an encryption function generator of the gateway, in the scanning agent the at least one generated key;

(e) transmitting, by a transmitter of the gateway, the scanning agent to the node;

(f) encrypting, by the scanning agent, gathered information about the node using the at least one generated key;

(g) decrypting, by a decryptor of the gateway, the encrypted gathered information; and

(h) receiving, by a first component of a policy engine of the gateway, the decrypted gathered information, and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information;

(i) granting, by a second component of the policy engine, one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.

View all claims

8 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method of granting access to resources includes the step of receiving a request from a node to access a resource. A scanning agent is generated to gather information about the node. A key is generated and embedded in the scanning agent. The scanning agent is transmitted to the node and gathers information regarding the node. The scanning agent encrypts the gathered information using the at least one generated key. The encrypted gathered information is received from the scanning agent and decrypted.

Citations

22 Claims

1. A method of granting a node operated by a user access to resources based on information about the node, comprising:
- (a) receiving, by a receiver of a gateway, a request from a node operated by a user to access a resource;
  
  (b) generating, by an agent constructor of the gateway, a scanning agent to gather information about the node;
  
  (c) generating, by a key generator of the gateway, at least one key;
  
  (d) embedding, by an encryption function generator of the gateway, in the scanning agent the at least one generated key;
  
  (e) transmitting, by a transmitter of the gateway, the scanning agent to the node;
  
  (f) encrypting, by the scanning agent, gathered information about the node using the at least one generated key;
  
  (g) decrypting, by a decryptor of the gateway, the encrypted gathered information; and
  
  (h) receiving, by a first component of a policy engine of the gateway, the decrypted gathered information, and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information;
  
  (i) granting, by a second component of the policy engine, one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein step (a) further comprises receiving the request via a network connection.
  - 3. The method of claim 1, wherein step (b) further comprises selecting, for execution on the node, a subset of scan routines from a plurality of available scan routines.
  - 4. The method of claim 1, wherein step (c) further comprises generating a shared secret key.
  - 5. The method of claim 1, wherein step (c) further comprises generating a public key and a private key.
  - 6. The method of claim 5, wherein step (f) further comprises encrypting the gathered information with the generated public key.
  - 7. The method of claim 5, wherein step (g) further comprises decrypting the encrypted gathered information with the generated public key.
  - 8. The method of claim 1, wherein step (d) further comprises obfuscating the scanning agent.
  - 9. The method of claim 1, wherein step (h) further comprises gathering the information across a network connection.
  - 10. The method of claim 1, wherein step (h) further comprises gathering information about the node including at least one of:
    - operating system type, device type, machine identification number, installed software, Active Directory membership, network connection information, Media Access Control address of an installed network card, operating system patch, software patch, digital watermark, virus scanner and firewall.
  - 11. The method of claim 1, wherein step (i) further comprises decrypting the encrypted gathered information with the at least one generated key.

12. A system of granting a node operated by a user access to resources based on information about the node via an access gateway comprising:
- a receiver, receiving a request from a node operated by a user to access a resource;
  
  an agent constructor, generating a scanning agent for gathering information about the node;
  
  a key generator, in communication with the receiver and the agent constructor, generating at least one key;
  
  a encryption function generator, in communication with the agent constructor and the key generator, embedding the at least one generated key in the generated scanning agent;
  
  a decryptor, receiving encrypted gathered information about the node and decrypting the gathered information;
  
  a first component of a policy engine, receiving the decrypted gathered information and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information; and
  
  a second component of the policy engine, granting one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20)
- - 13. The system of claim 12, wherein the agent constructor selects a subset of a plurality of scan routines for execution on the requestor.
  - 14. The system of claim 12, wherein the agent constructor obfuscates the program code of the scanning agent.
  - 15. The system of claim 12, wherein the agent constructor further comprises a transmitter for transmitting the generated scanning agent to the requester.
  - 16. The system of claim 12, wherein the encryption function generator provides functionality for encrypting data with a generated key.
  - 17. The system of claim 12, wherein the receiver receives encrypted gathered information from the scanning agent and transmits the received encrypted gathered information to the decryptor.
  - 18. The system of claim 12, wherein the key generator further comprises generating a shared secret key.
  - 19. The system of claim 12, wherein the key generator further comprises generating a public key and a private key.
  - 20. The system of claim 12, further comprising a policy engine applying a policy to the received gathered information.

21. A system of granting a node operated by a user access to resources based on information about the node via an access gateway comprising:
- means for receiving a request from a node operated by a user to access a resource;
  
  means for generating a scanning agent for gathering information about a configuration of the node;
  
  means for generating at least one key;
  
  means for embedding the at least one generated key in the generated scanning agent;
  
  means for receiving encrypted gathered information about the configuration of the node and decrypting the gathered information;
  
  means for receiving, by a policy engine, the decrypted gathered information and generating a dataset comprising a plurality of identifiers, each of the plurality of identifiers identifying a respective condition satisfied by the gathered information; and
  
  means for granting, by the policy engine, one of a plurality of levels of access to the node to access the resource responsive to application of a policy to the generated dataset.
- View Dependent Claims (22)
- - 22. The system of claim 21, wherein the gathered information comprises at least one of:
    - operating system type, device type, machine identification number, installed software, Active Directory membership, network connection information, Media Access Control address of an installed network card, OS patch, software patch, digital watermark, virus scanner and firewall.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Citrix Systems, Inc. (Cloud Software Group)
Original Assignee
Citrix Systems, Inc. (Cloud Software Group)
Inventors
McCarthy, Lewis, Simmons, Timothy Ernest, Rao, Goutham
Primary Examiner(s)
Flynn; Nathan
Assistant Examiner(s)
DOAN, TRANG T

Application Number

US11/255,311
Publication Number

US 20060174115A1
Time in Patent Office

2,160 Days
Field of Search

None
US Class Current

713/168
CPC Class Codes

G06F 21/577   Assessing vulnerabilities a...

G06F 21/6218   to a system of files or obj...

G06F 2221/2115   Third party

G06F 2221/2129   Authenticate client device ...

Method and system for verification of an endpoint security scan

First Claim

8 Assignments

0 Petitions

Accused Products

Abstract

Citations

22 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for verification of an endpoint security scan

First Claim

8 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

22 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links