System and method for identifying unauthorized endpoints
DCFirst Claim
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
- collecting active endpoint information from each of a plurality of network devices other than active endpoints in a computer network, wherein the active endpoint information includes address information from each of a plurality of active endpoint computing facilities communicating through at least one of the plurality of network devices;
forming an active endpoint list in a datastore wherein the address information is maintained as a list of media access control (MAC) addresses for active endpoints communicating with each of the plurality of network devices and wherein the contents of the data store are formed from Address Resolution Protocol (ARP) data collected from the plurality of network devices;
collecting authorized endpoint information to the datastore from one or more authorized endpoints, wherein the authorized endpoint information is received from a security agent operating on each of a plurality of authorized endpoints that have been verified as being compliant with a security policy and have been authorized to access the computer network;
forming an authorized endpoint list, wherein each authorized endpoint is represented by the authorized endpoint'"'"'s media access control (MAC) address; and
comparing the active endpoint list to the authorized endpoint list to identify an unauthorized endpoint, wherein the unauthorized endpoint is one of the active endpoints but is not one of the authorized endpoints.
9 Assignments
Litigations
0 Petitions
Accused Products
Abstract
In embodiments of the present invention improved capabilities are described for identifying unauthorized endpoints. The present invention includes computer implemented methods and systems for actively polling and monitoring network devices, such as network routers and switches, to obtain information on any or all of the endpoints on a network with which the router or switch may have communicated. Address information acquired through polling is compared with an authorized endpoint list, which is generated from information reported to the store by security agents on the authorized endpoints and which is stored in a security compliance store, in order to identify unauthorized endpoints. Methods and systems disclosed herein also include remediation measures to be taken on the unauthorized endpoints. Related user interfaces, applications, and computer program products are disclosed.
-
Citations
13 Claims
-
1. A computer program product embodied in a non-transitory computer readable medium that, when executing on one or more computers, performs the steps of:
-
collecting active endpoint information from each of a plurality of network devices other than active endpoints in a computer network, wherein the active endpoint information includes address information from each of a plurality of active endpoint computing facilities communicating through at least one of the plurality of network devices; forming an active endpoint list in a datastore wherein the address information is maintained as a list of media access control (MAC) addresses for active endpoints communicating with each of the plurality of network devices and wherein the contents of the data store are formed from Address Resolution Protocol (ARP) data collected from the plurality of network devices; collecting authorized endpoint information to the datastore from one or more authorized endpoints, wherein the authorized endpoint information is received from a security agent operating on each of a plurality of authorized endpoints that have been verified as being compliant with a security policy and have been authorized to access the computer network; forming an authorized endpoint list, wherein each authorized endpoint is represented by the authorized endpoint'"'"'s media access control (MAC) address; and comparing the active endpoint list to the authorized endpoint list to identify an unauthorized endpoint, wherein the unauthorized endpoint is one of the active endpoints but is not one of the authorized endpoints. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13)
-
Specification