Hardware interface for enabling direct access and security assessment sharing

US 8,739,289 B2
Filed: 06/24/2008
Issued: 05/27/2014
Est. Priority Date: 04/04/2008
Status: Active Grant

First Claim

Patent Images

1. A network interface card arranged for enabling Direct Access when installed in a host endpoint in an enterprise network, comprising:

An IPv4 to IPv6 translation component for providing IPv4 to IPv6 translation for data traffic that is incoming to the network interface card;

an IPsec component arranged for terminating an IPsec connection; and

an enterprise security assessment sharing component (ESASC) arranged for implementing a security assessment publish and subscribe model in hardware for sharing security assessments among security endpoints that subscribe to the (ESASC) so that they are available to other security endpoints, wherein each security assessment for each security endpoint is published onto a security assessment channel, a security assessment being a semantic abstraction of security related information that provides contextual meaning to a security incident that occurs within an enterprise network environment such that the security assessments received by any one of the security endpoints from any other security endpoints can be combined or correlated with evidence generated by the one security endpoint itself to determine and initiate a local response.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Native IPv6 capabilities are provided to an IPv4 network node, device, or endpoint using a hardware interface that supports network communication under a Direct Access model. The Direct Access model supports IPv6 communication with IPsec and enforces Network Access Protection (“NAP”) health requirement policies for endpoints that are network clients. A Direct Access-ready server is enabled using a hardware interface that implements IPv4 to IPv6 translation and optionally IPsec termination capability. A Direct Access-ready client is enabled using a hardware interface that implements IPv4 to IPv6 translation, IPsec termination capability, and which optionally provides NAP (Network Access Protection) capabilities for Direct Access-ready clients that are configured as mobile information appliances. The hardware interface may be implemented as a network interface card (“NIC”) or as a chipset.

26 Citations

View as Search Results

19 Claims

1. A network interface card arranged for enabling Direct Access when installed in a host endpoint in an enterprise network, comprising:
- An IPv4 to IPv6 translation component for providing IPv4 to IPv6 translation for data traffic that is incoming to the network interface card;
  
  an IPsec component arranged for terminating an IPsec connection; and
  
  an enterprise security assessment sharing component (ESASC) arranged for implementing a security assessment publish and subscribe model in hardware for sharing security assessments among security endpoints that subscribe to the (ESASC) so that they are available to other security endpoints, wherein each security assessment for each security endpoint is published onto a security assessment channel, a security assessment being a semantic abstraction of security related information that provides contextual meaning to a security incident that occurs within an enterprise network environment such that the security assessments received by any one of the security endpoints from any other security endpoints can be combined or correlated with evidence generated by the one security endpoint itself to determine and initiate a local response.
- View Dependent Claims (2, 3, 4, 5, 6, 7)
- - 2. The network interface card of claim 1 further including a standardized physical interface.
  - 3. The network interface card of claim 1 further including a client-side NAP component that provides NAP capabilities to client devices in which the network interface card is installed.
  - 4. The network interface card of claim 1 in which the IPv4 to IPv6 translation component is further arranged with an ALG functionality to perform modifications to a DNS registry.
  - 5. The network interface card of claim 1 in which the enterprise security assessment sharing component is further arranged for defining a time interval over which the security assessment is valid.
  - 6. The network interface card of claim 1 in which the enterprise security assessment sharing component is further arranged for receiving security assessments about security incidents detected by the network endpoints.
  - 7. The network interface card of claim 1 in which the enterprise security assessment sharing component is further arranged for rolling back a local response when a received security assessment is no longer valid.

8. A chipset arranged for enabling Direct Access when installed in a host device, comprising:
- An IPv4 to IPv6 translation component for providing IPv4 to IPv6 translation for data traffic that is incoming to the host device; and
  
  an enterprise security assessment sharing component arranged for implementing an enterprise security assessment sharing system in hardware, the system being arranged for implementing a security-related information sharing model by which security-related information is shareable among a plurality of endpoints in an enterprise security environment, the model facilitating use of a method comprising the steps of describing an object in the environment using a semantic abstraction of security-related information that is available to an endpoint, the semantic abstraction i) being categorized by type, and ii) being commonly utilizable by the endpoints to initiate a response to a security incident, and using a publish and subscribe model by which a publishing endpoint publishes the semantic abstraction to which a subscribing endpoint subscribes according to a subscription, the subscription being based on the semantic abstraction type, wherein each semantic abstraction for each endpoint is published onto a security assessment channel.
- View Dependent Claims (9, 10, 11, 12, 13, 14)
- - 9. The chipset of claim 8 in which the semantic abstraction is a security assessment that is arranged for providing an assignment of context by an endpoint to the security-related information using a pre-defined taxonomy which utilizes a schematized vocabulary comprising object types and assessment categories.
  - 10. The chipset of claim 8 further including an IPsec component arranged for terminating an IPsec connection.
  - 11. The chipset of claim 10 in which the IPsec component is an IPsec-NAP component.
  - 12. The chipset of claim 10 in which the IPsec component performs IPsec tunneling.
  - 13. The chipset of claim 10 in which the IPsec component implements an IPsec tunneling endpoint.
  - 14. The chipset of claim 8 further including a device-specific physical interface.

15. A network interface card for implementing an enterprise security assessment sharing functionality in hardware that is installable on a host endpoint in an enterprise network, the functionality performing a method comprising the steps of:
- generating a security assessment to describe a detected security incident, in which the generating is based at least in part on locally-available information about a system being monitored by the endpoint, the security assessment being a semantic abstraction of security related information that provides contextual meaning to the security incident and specifying a severity of the event and a level of confidence in accuracy of the detection of the security incident;
  
  receiving a current security assessment in accordance with a subscription to a subset of available security assessments generated by other endpoints in the enterprise security environment; and
  
  taking a response in accordance with a response policy on a per security assessment basis based on the received current security assessment and the locally-available information.
- View Dependent Claims (16, 17, 18, 19)
- - 16. The network interface card of claim 15 as embodied in a network interface card, the network interface card being configured for interoperability with either a Direct Access server or Direct Access client.
  - 17. The network interface card of claim 15 as embodied in a chipset, the chipset being configured for interoperability with either a Direct Access server or Direct Access client.
  - 18. The network interface card of claim 15 further including an IPv4 to IPv6 translation component for providing IPv4 to IPv6 translation for data traffic that is incoming to the interface.
  - 19. The network interface card of claim 15 further including an IPsec component arranged for terminating an IPsec connection at the interface.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Microsoft Technology Licensing LLC (Microsoft Corporation)
Original Assignee
Microsoft Corporation
Inventors
Nice, Nir, Walker, Lee F.
Primary Examiner(s)
GOODCHILD, WILLIAM J

Application Number

US12/144,863
Publication Number

US 20090254984A1
Time in Patent Office

2,163 Days
Field of Search

726/25
US Class Current

726/25
CPC Class Codes

H04L 63/0485 Networking architectures fo...

Hardware interface for enabling direct access and security assessment sharing

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

26 Citations

19 Claims

Specification

Solutions

Use Cases

Quick Links

Hardware interface for enabling direct access and security assessment sharing

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

26 Citations

19 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links