Methods and devices for qualifying a client machine to access a network

US 8,065,712 B1
Filed: 05/25/2005
Issued: 11/22/2011
Est. Priority Date: 02/16/2005
Status: Active Grant

First Claim

Patent Images

1. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:

receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information;

determining qualification procedures and standards of adequate protection for the client machine based on the user identification information;

sending the determined qualification procedures to the access server;

receiving from the access server results of applying the qualification procedures at the client machine;

determining a level of allowable network access for the client machine based on the results; and

instructing the access server to enforce the determined level of allowable network access;

wherein determining the qualification procedures and standards of adequate protection comprises;

determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;

updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and

determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets;

wherein the method is performed by one or more computing devices.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Methods and devices for qualifying a client machine to access a network, based on policies governing required protective measures, such as virus checking and operating system updates, are disclosed. A client machine must pass various checks to qualify for access. A client machine may be redirected to remediation resources that support efforts to bring the client machine into compliance with applicable network access requirements. A policy repository is updated regularly by vendors of protective measures. An administrator establishes user roles that are mapped to policy rule sets retrieved from the policy repository. The policy rule sets govern qualification of client machines for access to the network in accordance with the roles of the users of the machines. An access server is an intermediary between a client machine and the access manager. A client agent runs on the client machine and carries out checks, and reports the results via the access server to the access manager.

128 Citations

29 Claims

1. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:
- receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information;
  
  determining qualification procedures and standards of adequate protection for the client machine based on the user identification information;
  
  sending the determined qualification procedures to the access server;
  
  receiving from the access server results of applying the qualification procedures at the client machine;
  
  determining a level of allowable network access for the client machine based on the results; and
  
  instructing the access server to enforce the determined level of allowable network access;
  
  wherein determining the qualification procedures and standards of adequate protection comprises;
  
  determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;
  
  updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and
  
  determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets;
  
  wherein the method is performed by one or more computing devices.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
- - 2. The method of claim 1, additionally comprising the computer-implemented step of:
    - authenticating the user identification information.
  - 3. The method of claim 2, wherein the step of authenticating the user identification information comprises:
    - sending the user identification information to a credentials authority; and
      
      receiving an authentication determination from the credentials authority.
  - 4. The method of claim 1, wherein the step of sending the qualification procedures to the access server comprises sending the qualification procedures to the access server, wherein the access server sends the qualification procedures to the client machine.
  - 5. The method of claim 1, wherein the determined qualification procedures comprise tests to be applied by a client agent resident on the client machine.
  - 6. The method of claim 1, wherein the determined qualification procedures comprise network-based scans to be applied by the access server.
  - 7. The method of claim 1, wherein the determined allowable network access for the client comprises blocking all access to the network.
  - 8. The method of claim 1, wherein the determined allowable network access for the client comprises quarantining the client machine such that the client machine can only access pre-determined safe resources on the network.
  - 9. The method of claim 1, wherein the determined allowable network access for the client comprises allowing the client machine access only to pre-determined remediation resources on the network.
  - 10. The method of claim 9, additionally comprising the step of redirecting the client machine to the pre-determined remediation resources.
  - 11. The method of claim 9, wherein the pre-determined remediation resources comprise a downloadable remediation package that can be installed on the client machine.
  - 12. The method of claim 1, wherein the step of determining qualification procedures and standards of adequate protection for the client comprises:
    - determining if the client machine is on a clean list; and
      
      if the client machine is on the clean list, instructing the access server to allow the client machine to access the network.
  - 13. The method of claim 12, wherein the step of determining if the client machine is on a clean list is based on at least one of user identification information, MAC address of the client machine and IP address of the client machine.

14. A system for qualifying a client machine to access a network, comprising:
- one or more processors;
  
  a computer-readable storage medium storing one or more sequences of instructions, which when executed cause the one or more processors to providean access manager, said access manager storing a plurality of policy rule sets, each policy rule set containing qualification procedures and associated standards of adequate protection; and
  
  said access manager determining qualification procedures and standards of adequate protection;
  
  and to provide at least one access server through which the client machine must first go to access the network;
  
  wherein the access manager provides one or more policy rule sets to the access server for application upon a request from a client machine to access the network;
  
  wherein the access server applies the one or more policy rule sets to the client machine and provides results of applying the qualification procedures to the access manager; and
  
  wherein the access manager determines allowable network access by the client machine based on the results,wherein determining qualification procedures and standards of adequate protection comprises;
  
  determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;
  
  updating, based on at least one outside source, information used to construct the plurality of policy rule sets;
  
  determining qualification procedures and standards of adequate protection associated with the determined role, andwherein the plurality of policy rule sets provide different levels of network access requirements.
- View Dependent Claims (15)
- - 15. The system of claim 14, additionally comprising:
    - a second computer-readable medium resident on the client machine and storing one or more sequences of instructions which when executed, cause one or more processors on the client machine to apple at least one of the qualification procedures and send the results to the access server.

16. A method of qualifying a client machine to access a network, comprising the computer-implemented steps of:
- receiving a request for access from the client machine from an access server through which the client machine must first go to access the network, said request including user identification information;
  
  determining if the client machine is on a clean list;
  
  causing the user of the client machine to be authenticated;
  
  determining a role for the user of the client machine based on the authentication results and a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;
  
  determining qualification procedures and standards of adequate protection for the client machine based on the user identification information;
  
  if the client machine is determined to be on the clean list, allowing the client machine to access the network according to the determined role;
  
  sending the determined qualification procedures to the access server;
  
  in response to determining that the qualification procedures include procedures to be applied by a client agent on the client machine, receiving from the access server first results of applying the qualification procedures by the client agent at the client machine;
  
  in response to determining that the first results indicate that the client machine does not meet the determined standards of adequacy, downloading a remediation package to the client machine;
  
  in response to determining that the qualification procedures include procedures to be applied by the access server, receiving from the access server second results of applying the procedures to the client machine;
  
  in response to determining that the second results indicate that the client machine does not meet the determined standards, redirecting the client machine to remediation resources;
  
  determining a level of allowable network access for the client machine based on the determined role; and
  
  instructing the access server to enforce the determined level of allowable network access;
  
  wherein determining the qualification procedures and standards of adequate protection comprises determining a role for the client machine;
  
  updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements;
  
  determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets;
  
  wherein the method is performed by one or more computing devices.

17. A non-transitory computer-readable storage medium storing one or more sequences of instructions which when executed, cause one or more processors to perform:
- receiving a request for access from a client machine from an access server through which the client machine must first go to access a network, said request including user identification information;
  
  determining qualification procedures and standards of adequate protection for the client machine based on the user identification information;
  
  sending the determined qualification procedures to the access server;
  
  receiving from the access server results of applying the qualification procedures at the client machine;
  
  determining a level of allowable network access for the client machine based on the results; and
  
  instructing the access server to enforce the determined level of allowable network access;
  
  wherein determining the qualification procedures and standards of adequate protection comprises;
  
  determining a role for the client machine based on a prioritized set of attributes including two or more of MAC address of the client machine, subnet through which access is requested, IP address of the client machine, and network traffic information;
  
  updating, based on at least one outside source, information used to construct a plurality of policy rule sets providing different levels of network access requirements; and
  
  determining qualification procedures and standards of adequate protection associated with the determined role and the plurality of policy rule sets.
- View Dependent Claims (18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28, 29)
- - 18. The computer-readable storage medium of claim 17, further comprising instructions which when executed cause the one or more processors to perform authenticating the user identification information.
  - 19. The computer-readable storage medium of claim 18, further comprising instructions which when executed cause the one or more processors to perform sending the user identification information to a credentials authority;
    - receiving an authentication determination from the credentials authority.
  - 20. The computer-readable storage medium of claim 17, further comprising instructions which when executed cause the one or more processors to perform sending the qualification procedures to the access server, wherein the access server sends the qualification procedures to the client machine.
  - 21. The computer-readable storage medium of claim 17, wherein the determined qualification procedures comprise tests to be applied by a client agent resident on the client machine.
  - 22. The computer-readable storage medium of claim 17, wherein the determined qualification procedures comprise network-based scans to be applied by the access server.
  - 23. The computer-readable storage medium of claim 17, wherein the determined allowable network access for the client comprises blocking all access to the network.
  - 24. The computer-readable storage medium of claim 17, wherein the determined allowable network access for the client comprises quarantining the client machine such that the client machine can only access pre-determined safe resources on the network.
  - 25. The computer-readable storage medium of claim 17, wherein the determined allowable network access for the client comprises allowing the client machine access only to pre-determined remediation resources on the network.
  - 26. The computer-readable storage medium of claim 25, further comprising instructions which when executed cause the one or more processors to perform redirecting the client machine to the pre-determined remediation resources.
  - 27. The computer-readable storage medium of claim 25, wherein the pre-determined remediation resources comprise a downloadable remediation package that can be installed on the client machine.
  - 28. The computer-readable storage medium of claim 17, further comprising instructions which when executed cause the one or more processors to perform determining if the client machine is on a clean list;
    - if the client machine is on the clean list, instructing the access server to allow the client machine to access the network.
  - 29. The computer-readable storage medium claim 28, further comprising instructions which when executed cause the one or more processors to perform determining if the client machine is on a clean list based on at least one of user identification information, MAC address of the client machine and IP address of the client machine.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Srirajavatchavai, Venkatapathi Raju, Nair, Rajesh, Cheng, Wen-Chun, Wang, Po-Cheng
Primary Examiner(s)
SIMITOSKI, MICHAEL J

Application Number

US11/138,855
Time in Patent Office

2,372 Days
Field of Search

726/1, 726/4, 726/22, 726/29
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/105   Multiple levels of security

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

Methods and devices for qualifying a client machine to access a network

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

128 Citations

29 Claims

Specification

Solutions

Use Cases

Quick Links

Methods and devices for qualifying a client machine to access a network

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

128 Citations

29 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links