DHCP-based security policy enforcement system

US 8,312,270 B1
Filed: 12/17/2007
Issued: 11/13/2012
Est. Priority Date: 12/17/2007
Status: Active Grant

First Claim

Patent Images

1. A method of requesting an IP address within a computer network having a security policy, said method comprising:

receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network;

consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer has previously been identified as not being compliance with said security policy of said computer network;

determining that said identification of said end-user computer is not present in said blacklist database without undertaking an analysis of whether or not the end-user computer is actually in compliance with said security policy of said computer network;

returning to said end-user computer an IP address and a special lease time shorter than would normally be assigned, wherein the special lease time is based upon a value for a number of times that the end-user computer has requested an IP address from the DHCP server, wherein the returned IP address provides full access privileges to said computer network;

subsequently to the returning, probing said end-user computer to determine that the end-user computer is actually in compliance with said security policy of said computer network; and

upon expiration of the special lease time, assigning another IP address with a lease time longer than the special lease time, wherein the another IP address provides full access privileges to said computer network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A plug-in module of a DHCP server enforces a security policy of a computer network. The module receives a request to provide an IP address for an end-user computer. A blacklist database is consulted to determine if the computer is not in compliance with the policy. If not compliant, the module returns to the computer a special IP address, a special default gateway and a lease time; the special IP address places the computer in a restricted network segment of the network where it cannot send network packets to other computers. If compliant, the computer receives an IP address and a lease time. The first time an IP address is requested a probe is triggered to determine if the computer is compliant using software not present on the computer. A cleanup service located in the restricted segment remove malware and updates software. Lease times increase after each successful request of an IP address.

30 Citations

View as Search Results

19 Claims

1. A method of requesting an IP address within a computer network having a security policy, said method comprising:
- receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network;
  
  consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer has previously been identified as not being compliance with said security policy of said computer network;
  
  determining that said identification of said end-user computer is not present in said blacklist database without undertaking an analysis of whether or not the end-user computer is actually in compliance with said security policy of said computer network;
  
  returning to said end-user computer an IP address and a special lease time shorter than would normally be assigned, wherein the special lease time is based upon a value for a number of times that the end-user computer has requested an IP address from the DHCP server, wherein the returned IP address provides full access privileges to said computer network;
  
  subsequently to the returning, probing said end-user computer to determine that the end-user computer is actually in compliance with said security policy of said computer network; and
  
  upon expiration of the special lease time, assigning another IP address with a lease time longer than the special lease time, wherein the another IP address provides full access privileges to said computer network.
- View Dependent Claims (2, 3, 4, 5)
- - 2. A method as recited in claim 1, wherein the probing is performed using policy checking software not residing on said end-user computer.
  - 3. A method as recited in claim 1 wherein said identification of said end-user computer is an IP address, a MAC address, or said IP address and said MAC address.
  - 4. A method as recited in claim 1 wherein said step of returning includesreturning to said end-user computer a special gateway IP address, said special gateway IP address effectively preventing said end-user computer from communicating with other end-user computers of said computer network and logically placing said end-user computer in a restricted network segment of said computer network.
  - 5. A method as recited in claim 1 further comprising:
    - receiving a first request at said DHCP server to provide an IP address for said end-user computer within said computer network;
      
      returning to said end-user computer a normal IP address; and
      
      after returning said normal IP address, probing said end-user computer to determine if said end-user computer complies with said security policy.

6. A method of requesting an IP address within a computer network having a security policy, said method comprising:
- receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network;
  
  consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer is not in compliance with said security policy of said computer network;
  
  determining that said identification of said end-user computer is not present in said blacklist database;
  
  determining how many times said end-user computer has requested an IP address;
  
  returning to said end-user computer a normal IP address and a lease time, wherein the lease time is dependent on the number of times said end-user computer has requested an IP address; and
  
  instructing that said end-user computer be probed with policy checking software to determine if said end-user computer complies with said security policy, wherein said policy checking software does not reside upon said end-user computer.
- View Dependent Claims (7, 8, 9, 10, 11)
- - 7. A method as recited in claim 6 further comprising:
    - probing said end-user computer with said policy checking software after said step of returning;
      
      determining that said end-user computer is not in compliance with said security policy; and
      
      adding said identification of said end-user computer to said blacklist database.
  - 8. A method as recited in claim 7 further comprising:
    - instructing that a cleanup service software application remove malware from said end-user computer; and
      
      removing said identification of said end-user computer from said blacklist database.
  - 9. A method as recited in claim 6 further comprising:
    - determining that said end-user computer has requested an IP address a maximum number of times; and
      
      resetting said how many times in said blacklist database.
  - 10. A method as recited in claim 6 further comprising:
    - receiving subsequent requests from said end-user computer for an IP address; and
      
      returning to said end-user computer after each of said subsequent requests a normal IP address and a subsequent lease time, wherein each of said subsequent lease times is longer than a previous lease time.
  - 11. A method as recited in claim 6 wherein said identification of said end-user computer is an IP address, a MAC address, or said IP address and said MAC address.

12. A method of enforcing a security policy within a computer network, said method comprising:
- receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network;
  
  returning to said end-user computer an IP address and a lease time;
  
  probing said end-user computer with policy checking software to determine if said end-user computer complies with said security policy, wherein said policy checking software does not reside upon said end-user computer;
  
  determining that said end-user computer does not comply with said security policy and adding an identification of said end-user computer to a blacklist database, wherein the presence of said identification prevents said end-user computer from receiving a normal IP address;
  
  scanning said end-user computer with cleanup service software and updating software on said end-user computer to bring said end-user computer into compliance with said security policy; and
  
  removing said identification of said end-user computer from said blacklist database.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
- - 13. A method as recited in claim 12 further comprising:
    - before said steps of scanning and removing, receiving another request at said DHCP server to provide an IP address for said end-user computer;
      
      returning to said end-user computer a special IP address and a lease time, said special IP address effectively preventing said end-user computer from communicating with other end-user computers of said computer network and logically placing said end-user computer in a restricted network segment of said computer network.
  - 14. A method as recited in claim 13 wherein said step of returning includesreturning to said end-user computer a special gateway IP address, said special gateway IP address effectively preventing said end-user computer from communicating with other end-user computers of said computer network and logically placing said end-user computer in a restricted network segment of said computer network.
  - 15. A method as recited in claim 12 wherein the logical location of said end-user computer in said restricted network segment permits routing of network packets from said end-user computer to only certain designated computers.
  - 16. A method as recited in claim 15 wherein said designated computers includes a computer hosting said cleanup service software application.
  - 17. A method as recited in claim 12 wherein said lease time is no more than 10 minutes.
  - 18. A method as recited in claim 12 wherein said identification of said end-user computer is an IP address, a MAC address, or said IP address and said MAC address.
  - 19. A method as recited in claim 12 further comprising:
    - performing said step of probing after said step of returning.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Trend Micro Inc.
Original Assignee
Trend Micro Inc.
Inventors
Wu, Handong, Chou, Tsunsheng
Primary Examiner(s)
Zand, Kambiz
Assistant Examiner(s)
Hailu, Teshome

Application Number

US11/958,042
Time in Patent Office

1,793 Days
Field of Search

713/168, 713/171, 726/1, 726/11, 726/12, 726/14
US Class Current

713/168
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/101   Access control lists [ACL]

H04L 63/1433   Vulnerability analysis

H04L 63/145   the attack involving the pr...

H04L 63/20   for managing network securi...

DHCP-based security policy enforcement system

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

30 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

DHCP-based security policy enforcement system

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

30 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links