Systems and methods of controlling network access

US 8,051,460 B2
Filed: 11/18/2008
Issued: 11/01/2011
Est. Priority Date: 09/24/2003
Status: Active Grant

- Alert
- Pin

Associated Cases

Associated Defendants

First Claim

Patent Images

1. A method of granting access to a protected network, the method comprising:

receiving a request for access to a less-restricted subset of the protected network from an access device, the request received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;

applying a security policy to the access device in response to the request;

using the gatekeeper to determine if requirements of the security policy are satisfied by the access device, andreconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, when the requirements of the security policy are satisfied.

View all claims

1 Assignment

Timeline View

Assignment View

Litigations

1 Petition

Accused Products

Abstract

A new approach to network security includes manipulating an access point such that an initial communication from an external device is passed to a restricted subset of a computing network including a gatekeeper. The gatekeeper is configured to enforce a security policy against the external device before granting access to a less-restricted subset of the computing network. If requirements of the security policy are satisfied, then the gatekeeper reconfigures the access point such that further communication from the external device may be received by elements of the less-restricted subset. Enforcement of the security policy optionally includes performing a security audit of the external device.

113 Citations

View as Search Results

31 Claims

1. A method of granting access to a protected network, the method comprising:
- receiving a request for access to a less-restricted subset of the protected network from an access device, the request received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
  
  applying a security policy to the access device in response to the request;
  
  using the gatekeeper to determine if requirements of the security policy are satisfied by the access device, andreconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, when the requirements of the security policy are satisfied.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15)
- - 2. The method of claim 1, further comprising authenticating a user of the access device.
  - 3. The method of claim 1, further comprising obtaining system data from the access device, and wherein applying the security policy includes using the system data to determine that the access device satisfies the requirements of the security policy.
  - 4. The method of claim 3, wherein the system data includes antivirus software status.
  - 5. The method of claim 1, further comprising communicating between the gatekeeper and an agent executing on the access device to obtain system data from the access device, and wherein applying the security policy includes using the system data to determine that the access device satisfies the requirements of the security policy.
  - 6. The method of claim 5, wherein the system data includes information regarding devices connected to the access device.
  - 7. The method of claim 5, wherein the system data includes information regarding computing code executing on the access device.
  - 8. The method of claim 1, further comprising selecting the security policy from among a plurality of security policies.
  - 9. The method of claim 8, wherein selecting the security policy is responsive to an identity of the access device or an identity of a user of the access device.
  - 10. The method of claim 1, wherein the access point is a network switch.
  - 11. The method of claim 1, wherein the access point is a wireless access point.
  - 12. The method of claim 1, wherein the access point is a remote access virtual private network.
  - 13. The method of claim 1, wherein the gatekeeper is accessible to elements of the less-restricted subset of the protected network.
  - 14. The method of claim 1, wherein the restricted subset of the protected network is characterized by an access control list.
  - 15. The method of claim 14, wherein access to the restricted subset of the protected network is responsive to a switch port configured to communicate with the protected network subject to the access control list.

16. A non-transitory computer-readable storage medium having stored thereon a program, the program being executable by a processor to perform a method for controlling access to a computer network, the method comprising:
- receiving a request for access to a less-restricted subset of the protected network from an access device, the request being received through a communication port of an access point, the communication port configured for communicating between the access device and a restricted subset of the protected network, the restricted subset including a gatekeeper;
  
  applying a security policy to the access device in response to the request; and
  
  reconfiguring the communication port for communicating data between the access device and the less-restricted subset of the protected network without passing the data through the gatekeeper, when requirements of the security policy are satisfied.
- View Dependent Claims (17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29, 30, 31)
- - 17. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable by a processor to authenticate a user of the access device.
  - 18. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable by a processor to obtain system data from the access device, and wherein applying the security policy includes using the system data to determine that the access device satisfies the requirements of the security policy.
  - 19. The non-transitory computer readable storage medium of claim 18, wherein the system data includes antivirus software version data.
  - 20. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable to communicate between the gatekeeper and an agent executing on the access device to obtain system data from the access device, and wherein applying the security policy includes using the system data to determine that the access device satisfies the requirements of the security policy.
  - 21. The non-transitory computer storage readable medium of claim 20, wherein the system data includes information regarding devices connected to the access device.
  - 22. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable to communicate between the gatekeeper and an agent executing on the access device to monitor security status of the access device after reconfiguring the communication port for communicating between the access device and the less-restricted subset.
  - 23. The non-transitory computer readable storage medium of claim 22, wherein the system data includes information regarding computing code executing on the access device.
  - 24. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable to select the security policy from among a plurality of security policies.
  - 25. The non-transitory computer readable storage medium of claim 24, wherein selecting the security policy is responsive to an identity of the access device or an identity of a user of the access device.
  - 26. The non-transitory computer readable storage medium of claim 24, wherein selecting the security policy is responsive to an identity of elements within the less-restricted subset of the protected network to which access is requested.
  - 27. The non-transitory computer readable storage medium of claim 16, wherein the program is further executable to update the access device when requirements of the security policy are not satisfied.
  - 28. The non-transitory computer readable storage medium of claim 16, wherein the gatekeeper is accessible to elements of the less-restricted subset of the protected network.
  - 29. The non-transitory computer readable storage medium of claim 16, wherein the restricted subset of the protected network is characterized by an access control list.
  - 30. The non-transitory computer readable storage medium of claim 29, wherein access to the restricted subset of the protected network is responsive to a VLAN configured to communicate with the protected network subject to the access control list.
  - 31. The non-transitory computer readable storage medium of claim 29, wherein access to the restricted subset of the protected network is responsive to a switch port configured to communicate with the protected network subject to the access control list.

Specification

Resources

Litigation Campaign Assessment

Litigation Data

Current Assignee
InfoExpress, Inc.
Original Assignee
InfoExpress, Inc.
Inventors
Lum, Stacey C., Lee, Yuhshiow Alice
Primary Examiner(s)
Song, Hosuk

Application Number

US12/273,037
Publication Number

US 20090083830A1
Time in Patent Office

1,078 Days
Field of Search

726 1- 4, 726/12, 726/15, 726 23- 24, 713/150, 713/153, 713/168, 709/225, 709228-229
US Class Current

726/1
CPC Class Codes

H04L 63/0876 based on the identity of th...

H04L 63/20 for managing network securi...

Systems and methods of controlling network access

First Claim

1 Assignment

Litigations

1 Petition

Accused Products

Abstract

113 Citations

31 Claims

Specification

Solutions

Use Cases

Quick Links

Systems and methods of controlling network access

First Claim

1 Assignment

Subscription Required

Subscription Required

Litigations

1 Petition

Subscription Required

Accused Products

Subscription Required

Abstract

113 Citations

31 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links