System and method for dynamic policy based access over a virtual private network
First Claim
1. A hardware apparatus for managing access to a resource over a network, comprising:
- a receiver that receives a request for access to the resource from a client device; and
a policy manager, coupled to the receiver, that performs actions, including;
downloading a component onto the client device, wherein the downloaded component inspects the client device to detect a configuration of the client device, including determining whether client-security software other than a virtual sandbox is active on the client device;
receiving from the downloaded component the configuration of the client device based on the inspection;
in response to the received request, applying, using the apparatus, a dynamic policy for the access based, in part, on the received configuration and the requested resource;
employing the virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and
applying, using the apparatus, a restriction to the client device for access by the client device to the requested resource, the restriction based on the applied dynamic policy.
1 Assignment
0 Petitions
Accused Products
Abstract
An apparatus and method are directed to managing access to an enterprise resource over a virtual private network by employing a dynamic policy. A client device is configured to log into a network device. The network device receives information about the client device, including information about its configuration and environment. Based, in part, on received information a policy for access is applied to the client device. For example, in one embodiment, the policy may allow only email access from a public kiosk client device, but full intranet access from an enterprise configured client device. The policy may further enable a restriction for the client device that may restrict, for example, what documents may be saved by the client device. In one embodiment, the restriction is enabled using a virtual sandbox.
-
Citations
33 Claims
-
1. A hardware apparatus for managing access to a resource over a network, comprising:
-
a receiver that receives a request for access to the resource from a client device; and a policy manager, coupled to the receiver, that performs actions, including; downloading a component onto the client device, wherein the downloaded component inspects the client device to detect a configuration of the client device, including determining whether client-security software other than a virtual sandbox is active on the client device; receiving from the downloaded component the configuration of the client device based on the inspection; in response to the received request, applying, using the apparatus, a dynamic policy for the access based, in part, on the received configuration and the requested resource; employing the virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and applying, using the apparatus, a restriction to the client device for access by the client device to the requested resource, the restriction based on the applied dynamic policy. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
-
-
10. A method implemented at a network device of managing access to a resource over a network, comprising:
-
receiving at the network device a request for access to the resource from a client device; downloading a component onto the client device, wherein the downloaded component inspects the client device to detect a configuration of the client device, including determining what client security software is active on the client device; receiving from the downloaded component the configuration of the client device based on the inspection; in response to the received request, applying, using the network device, a dynamic policy for the access based, in part, on the received configuration and the requested resource; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and applying, using the network device, a restriction to the client device for access by the client device to the requested resource, the restriction based on the applied dynamic policy. - View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21)
-
-
22. A hardware network appliance for managing access to a resource over a network, comprising:
-
a transceiver for receiving a request for access to the resource from a client device; and a processor that performs actions, including; receiving at the network appliance the request for access from the client device; downloading a component onto the client device, wherein the downloaded component inspects for a configuration of the client device including what client security software is active on the client device; receiving from the downloaded component information about the configuration of the client device based on the inspection; in response to the received request, applying, using the network appliance, a dynamic policy for the access based, in part, on the received configuration and the requested resource; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and applying, using the network appliance, a restriction to the client device for access by the client device to the requested resource, wherein the restriction is configured based on the applied dynamic policy. - View Dependent Claims (23, 24, 25, 26, 27)
-
-
28. A non-transitory computer readable storage medium that includes data and instructions, wherein the execution of the instructions on a computing device provides for managing access to a resource over a network by enabling actions, comprising:
-
receiving at the computing device a request for access to the resource from a client device; downloading a component onto the client device, wherein the downloaded component inspects for a configuration of the client device including whether client security software is active on the client device; receiving from the downloaded component information about the configuration of the client device based on the inspection; in response to the received request, applying, using the computing device, a dynamic policy to the access based, in part, on the configuration of the client device and the requested resource; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and applying, using the computing device, a restriction to the client device for access by the client device to the requested resource, the restriction based on the applied dynamic policy. - View Dependent Claims (29, 30)
-
-
31. A hardware apparatus for managing access to a resource over a network, comprising:
-
a transceiver that receives a request for access to the resource from a client device; and a policy manager, coupled to the transceiver, that performs actions, including; downloading a component onto the client device, wherein the downloaded component inspects the client device to detect a configuration of the client device including what client security software is active on the client device and whether a hacker tool is enabled on the client device; receiving from the downloaded component information about the configuration of the client device based on the inspection, wherein the configuration includes at least an indication of a status of an security application residing on the client device including whether the application is active or disabled; in response to the received request, applying, using the apparatus, a dynamic policy for the access based, in part, on the configuration and the requested resource; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and restricting, using the apparatus, the client device for access by the client device to the requested resource, wherein the means for restricting is configured based, in part, on the applied dynamic policy.
-
-
32. A method implemented at a server device for managing access to a resource over a network, comprising:
-
receiving, at the server device, a request for access to the resource from a client device; determining, using the server device, a level of security software enabled on the client device, including what antivirus software is active on the client device and whether a hacker tool is enabled on the client device; in response to the received request, applying, using the server device, a dynamic policy to the access based, in part, on the determined level of security software enabled and the requested resource; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and applying, using the server device, a restriction to the client device for access by the client device to the requested resource, the restriction based on the applied dynamic policy.
-
-
33. A method implemented at a network appliance for managing access to a resource over a network, comprising:
-
receiving at the network appliance a request for access to the resource from a client device; determining if the client device is configured as a kiosk or a mobile device and whether client computing security software is active on the client device or whether a hacker tool is enabled on the client device; employing a virtual sandbox at the client device to encrypt the resources using an encryption key that is separately stored on a remote server device; and in response to the received request, applying, using the network appliance, a restriction to the client device for access by the client device to the requested resource, the restriction based on the determined configuration of the client device and the requested resource.
-
Specification