Method and system for dynamic security using authentication server

US 8,590,004 B2
Filed: 02/14/2008
Issued: 11/19/2013
Est. Priority Date: 02/16/2007
Status: Active Grant

First Claim

Patent Images

1. A data network access security system for regulating access to resources on a data network, said system comprising:

a network security and monitoring system (NSMS) for monitoring access of end systems to the network; and

an access policy module to receive authentication credentials from an access point through which a first client device is attempting to connect to network resources, said policy module further responds to the access point with determinations of network resource access permissions and restrictions for the first client device based on data retrieved;

(1) from an authentication database and (2) a Dynamic Security Data &

Policy Database (DSDPD), which DSDPD includes rules indicating network resource access provisions to be applied to a given client device based on;

(1) data received from the given client device indicating the compliance of the given client device with specific security policies and (2) security information said DSDPD retrieves from said NSMS;

wherein, said NSMS monitors a history of network resource access authorization requests, which history includes;

(a) identities of parties who requested authorizations; and

(b) results of the authorization requests.

View all claims

4 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Disclosed is a method and system for network access control, including an authentication proxy that authenticates different access-points, retrieves data from security databases and from Network Monitoring Systems, processing said data according to a dynamic security policy and using said processing outcome to determine the access level which will be granted to an access point in the network.

Citations

21 Claims

1. A data network access security system for regulating access to resources on a data network, said system comprising:
- a network security and monitoring system (NSMS) for monitoring access of end systems to the network; and
  
  an access policy module to receive authentication credentials from an access point through which a first client device is attempting to connect to network resources, said policy module further responds to the access point with determinations of network resource access permissions and restrictions for the first client device based on data retrieved;
  
  (1) from an authentication database and (2) a Dynamic Security Data &
  
  Policy Database (DSDPD), which DSDPD includes rules indicating network resource access provisions to be applied to a given client device based on;
  
  (1) data received from the given client device indicating the compliance of the given client device with specific security policies and (2) security information said DSDPD retrieves from said NSMS;
  
  wherein, said NSMS monitors a history of network resource access authorization requests, which history includes;
  
  (a) identities of parties who requested authorizations; and
  
  (b) results of the authorization requests.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The system according to claim 1, wherein the response to the access point identifies which network resources the client may access.
  - 3. The system according to claim 2, wherein the access point is selected from the group consisting of a switch, a VPN, a WAP, and a Dial-Up service.
  - 4. The system according'"'"' to claim 1, wherein said network security and monitoring system comprises an intrusion prevention system or an intrusion detection system.
  - 5. The system according to claim 1, wherein the authentication server is selected from the group consisting of:
    - a Remote Authentication Dial in Service (RADIUS) server, a TACACS+server and a DIAMETER server.
  - 6. The system according to claim 1, wherein said network security and monitoring system comprises a Network Access Control system.
  - 7. The system according to claim 6, wherein the Dynamic Security Data &
    - Policy Database retrieves data from a network security and monitoring system based on parameters associated with said received authentication credentials.
  - 8. The system according to claim 1, wherein said network security and monitoring system is selected from the group consisting of:
    - an intrusion prevention system (IPS) and a NAC policy enforcement system.
  - 9. The system according to claim 1, wherein said access policy module further updates a network security and monitoring system based on data received from the access point and the authentication server.

10. A method for regulating access to resources on a data network comprising:
- receiving authentication credentials from an access point through which the client is attempting to connect to network resources;
  
  retrieving data from an authentication server;
  
  retrieving data from a Dynamic Security Data &
  
  Policy Database (DSDPD), which DSDPD includes rules indicating network resource access provisions to be applied to a given client device based on;
  
  (1) data received from the given client device indicating the compliance of the given client device with specific security policies and (2) security information said DSDPD retrieves from a network security and monitoring system (NSMS), wherein said NSMS monitors a history of network resource access authorization requests, which history includes;
  
  (a) identities of parties who requested authorizations; and
  
  (b) results of the authorization requests;
  
  processing the retrieved data from the authentication server and the DSDPD, wherein said processing is computed according to a dynamic security policy; and
  
  sending a response to the network access point based on the processing of the retrieved data.
- View Dependent Claims (11, 12, 13, 14, 15, 16, 17, 18)
- - 11. The method according to claim 10, wherein the response to the access point identifies which network resources the client device may access.
  - 12. The method according to claim 10, wherein the access point is selected from the group consisting of:
    - a switch, a VPN, a wireless access point, a dial up service.
  - 13. The method according to claim 10, wherein said network security and monitoring system comprises an intrusion prevention system or an intrusion detection system.
  - 14. The method according to claim 10, wherein the authentication server is selected from the group consisting of:
    - a Remote Authentication Dial in Service (RADIUS) server, a TACACS+server and a DIAMETER server.
  - 15. The method according to claim 10, wherein said network security and monitoring system comprises a Network Access Control system.
  - 16. The method according to claim 15, wherein the Dynamic Security Data &
    - Policy Database retrieves data from a network security and monitoring system based on parameters associated with said received authentication credentials.
  - 17. The method according to claim 10, wherein said network security and monitoring system is selected from the group consisting of:
    - an intrusion prevention system (IPS) and a NAC policy enforcement system.
  - 18. The method according to claim 10, further comprising the step of updating a network security and monitoring system based on data received from the access point and the authentication server.

19. A method for updating a network security and monitoring system comprising:
- receiving an authorization request from an access point;
  
  receiving a response from an authentication server; and
  
  updating the network security and monitoring system by updating rules of a functionally associated Dynamic Security Data &
  
  Policy Database (DSDPD), which DSDPD includes rules indicating network resource access provisions to be applied to a given client device based on;
  
  (1) data received from the given client device indicating the compliance of the given client device with specific security policies; and
  
  (2) security information said DSDPD retrieves from a network security and monitoring system (NSMS), wherein said NSMS monitors a history of network resource access authorization requests, which history includes;
  
  (a) identities of parties who requested authorizations; and
  
  (b) results of the authorization requests.
- View Dependent Claims (20, 21)
- - 20. The method according to claim 19, wherein the response from an authentication server is associated with the authorization request.
  - 21. The method according to claim 19, wherein an update to the network security and monitoring system includes the following attributes:
    - who requested the authentication, when the authentication request was initiated, was the authentication successful, what type of authentication was requested, and what authorization has been granted.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
ForeScout Technologies Incorporated
Original Assignee
ForeScout Technologies Incorporated
Inventors
Comay, Oded, Shikmoni, Doron
Primary Examiner(s)
Song, Hosuk

Application Number

US12/527,426
Publication Number

US 20100024009A1
Time in Patent Office

2,105 Days
Field of Search

726 1- 5, 726 22- 23, 726/27, 726/11, 726/15, 713/150, 713/155, 713/168, 709/217, 709224-225, 709/229
US Class Current

726/1
CPC Class Codes

H04L 63/08   for authentication of entit...

H04L 63/0892   by using authentication-aut...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

Method and system for dynamic security using authentication server

First Claim

4 Assignments

0 Petitions

Accused Products

Abstract

Citations

21 Claims

Specification

Solutions

Use Cases

Quick Links

Method and system for dynamic security using authentication server

First Claim

4 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

21 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links