DHCP-based security policy enforcement system
First Claim
1. A method of requesting an IP address within a computer network having a security policy, said method comprising:
- receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network;
consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer has previously been identified as not being compliance with said security policy of said computer network;
determining that said identification of said end-user computer is not present in said blacklist database without undertaking an analysis of whether or not the end-user computer is actually in compliance with said security policy of said computer network;
returning to said end-user computer an IP address and a special lease time shorter than would normally be assigned, wherein the special lease time is based upon a value for a number of times that the end-user computer has requested an IP address from the DHCP server, wherein the returned IP address provides full access privileges to said computer network;
subsequently to the returning, probing said end-user computer to determine that the end-user computer is actually in compliance with said security policy of said computer network; and
upon expiration of the special lease time, assigning another IP address with a lease time longer than the special lease time, wherein the another IP address provides full access privileges to said computer network.
1 Assignment
0 Petitions
Accused Products
Abstract
A plug-in module of a DHCP server enforces a security policy of a computer network. The module receives a request to provide an IP address for an end-user computer. A blacklist database is consulted to determine if the computer is not in compliance with the policy. If not compliant, the module returns to the computer a special IP address, a special default gateway and a lease time; the special IP address places the computer in a restricted network segment of the network where it cannot send network packets to other computers. If compliant, the computer receives an IP address and a lease time. The first time an IP address is requested a probe is triggered to determine if the computer is compliant using software not present on the computer. A cleanup service located in the restricted segment remove malware and updates software. Lease times increase after each successful request of an IP address.
30 Citations
19 Claims
-
1. A method of requesting an IP address within a computer network having a security policy, said method comprising:
-
receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network; consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer has previously been identified as not being compliance with said security policy of said computer network; determining that said identification of said end-user computer is not present in said blacklist database without undertaking an analysis of whether or not the end-user computer is actually in compliance with said security policy of said computer network; returning to said end-user computer an IP address and a special lease time shorter than would normally be assigned, wherein the special lease time is based upon a value for a number of times that the end-user computer has requested an IP address from the DHCP server, wherein the returned IP address provides full access privileges to said computer network; subsequently to the returning, probing said end-user computer to determine that the end-user computer is actually in compliance with said security policy of said computer network; and upon expiration of the special lease time, assigning another IP address with a lease time longer than the special lease time, wherein the another IP address provides full access privileges to said computer network. - View Dependent Claims (2, 3, 4, 5)
-
-
6. A method of requesting an IP address within a computer network having a security policy, said method comprising:
-
receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network; consulting a blacklist database to determine if an identification of said end-user computer is present in said blacklist database, wherein the presence of said identification indicates that said end-user computer is not in compliance with said security policy of said computer network; determining that said identification of said end-user computer is not present in said blacklist database; determining how many times said end-user computer has requested an IP address; returning to said end-user computer a normal IP address and a lease time, wherein the lease time is dependent on the number of times said end-user computer has requested an IP address; and instructing that said end-user computer be probed with policy checking software to determine if said end-user computer complies with said security policy, wherein said policy checking software does not reside upon said end-user computer. - View Dependent Claims (7, 8, 9, 10, 11)
-
-
12. A method of enforcing a security policy within a computer network, said method comprising:
-
receiving a request at a DHCP server to provide an IP address for an end-user computer within said computer network; returning to said end-user computer an IP address and a lease time; probing said end-user computer with policy checking software to determine if said end-user computer complies with said security policy, wherein said policy checking software does not reside upon said end-user computer; determining that said end-user computer does not comply with said security policy and adding an identification of said end-user computer to a blacklist database, wherein the presence of said identification prevents said end-user computer from receiving a normal IP address; scanning said end-user computer with cleanup service software and updating software on said end-user computer to bring said end-user computer into compliance with said security policy; and removing said identification of said end-user computer from said blacklist database. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19)
-
Specification