Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

US 8,935,416 B2
Filed: 04/21/2006
Issued: 01/13/2015
Est. Priority Date: 04/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing compliance with a policy on a client computer in communication with a network, the method comprising:

receiving a data transmission from the client computer on the network, said data transmission including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data, the status information including a plurality of information comprising;

an indication of whether a client security program is running on the client computer;

version information associated with the client security program installed on the client computer;

configuration information associated with the client security information installed on the client computer; and

version information associated with an intrusion protection system (IPS) signature database stored on the client computer;

determining a temporary policy for the client computer is active, permitting said data transmission to continue;

when a temporary policy for the client computer does not exist, generating a new temporary policy for the client computer and permitting said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values, said new temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information included in said subsequent data transmissions, while said new temporary policy exists; and

wherein;

the data transmission includes a request; and

permitting the data transmission to continue includes forwarding the data transmission for processing of the request.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion.

Citations

42 Claims

1. A method for enforcing compliance with a policy on a client computer in communication with a network, the method comprising:
- receiving a data transmission from the client computer on the network, said data transmission including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data, the status information including a plurality of information comprising;
  
  an indication of whether a client security program is running on the client computer;
  
  version information associated with the client security program installed on the client computer;
  
  configuration information associated with the client security information installed on the client computer; and
  
  version information associated with an intrusion protection system (IPS) signature database stored on the client computer;
  
  determining a temporary policy for the client computer is active, permitting said data transmission to continue;
  
  when a temporary policy for the client computer does not exist, generating a new temporary policy for the client computer and permitting said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values, said new temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information included in said subsequent data transmissions, while said new temporary policy exists; and
  
  wherein;
  
  the data transmission includes a request; and
  
  permitting the data transmission to continue includes forwarding the data transmission for processing of the request.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 2. The method of claim 1 further comprising preventing said data transmission from continuing when said data transmission does not include status information.
  - 3. The method of claim 1 wherein permitting said data transmission to continue further comprises authenticating a user of the client computer before permitting said data transmission to continue.
  - 4. The method of claim 1 further comprising causing an action to be taken when said status information does not meet said criterion.
  - 5. The method of claim 4 wherein causing said action to be taken comprises causing an entry to be made in a log.
  - 6. The method of claim 4 wherein causing said action to be taken comprises causing an alert to be issued.
  - 7. The method of claim 6 wherein causing said alert to be issued comprises sending a message to an administrator of the network.
  - 8. The method of claim 4 wherein causing said action to be taken comprises preventing said data transmission from continuing.
  - 9. The method of claim 4 further comprising sending a message to the client computer indicating at least one of:
    - said data transmission has been prevented from continuing;
      
      aspects of said criterion that are not met by said status information; and
      
      a network resource location for downloading data for updating a configuration of the client computer.
  - 10. The method of claim 9 wherein sending said message indicating said network resource location comprises sending a message indicating at least one of:
    - a location of the client security program image for installing client security program on the client computer;
      
      a location of a file for updating anti-virus signatures associated with potential computer virus attacks; and
      
      a location of a file for updating intrusion protection system (IPS) signatures associated with potential network intrusions.
  - 11. The method of claim 9 wherein sending said message indicating aspects of said criterion that are not met by said status information comprises producing a message indicating at least one of:
    - a software license associated with the client security program installed on the client computer is not valid; and
      
      a configuration associated with said client security program fails to meet said criterion.
  - 12. The method of claim 9 wherein said data transmission complies with a Hyper Text Transfer Protocol (HTTP) and wherein sending said message comprises sending a HTTP redirect response to the client computer redirecting the client computer to a web page.
  - 13. The method of claim 12 wherein redirecting comprises redirecting the client computer to a web page comprising at least one link to a network resource location for downloading data for updating a configuration of the client computer.
  - 14. The method of claim 1 wherein receiving said data transmission comprises receiving a data transmission from the client computer including data complying with one of a hyper text transfer protocol (HTTP), a simple mail transport protocol (SMTP), an internet message access protocol (IMAP), a post office protocol (POP), a telnet protocol, a domain name system (DNS) protocol, a voice over internet protocol (VoIP), a peer-to-peer (P2P) protocol, a dynamic host configuration protocol (DHCP), and a point-to-point (PPP) protocol.
  - 15. The method of claim 1 wherein permitting said data transmission to continue comprises permitting said data transmission to continue when said status information meets a criterion set by an administrator of the network.
  - 16. The method of claim 1 wherein permitting said data transmission to continue when said status information meets said criterion further comprises permitting subsequent data transmissions to continue until at least one of:
    - a first period of time expires; and
      
      the client computer has not initiated any subsequent data transmissions for a second period of time.
  - 17. The method of claim 1 wherein the network includes a first network and further comprising receiving said data transmission at a gateway node on said first network, said gateway node being in communication with a second network, and wherein permitting said data transmission to continue comprises permitting said data transmission to said second network when said status information meets said criterion.
  - 18. The method of claim 17 wherein permitting said data transmission to continue comprises reading said status information and comparing at least some of said status information against at least one criterion in a table of criteria stored on said gateway node and permitting said data transmission to said second network when said at least some of said status information satisfies said at least one criterion.
  - 19. The method of claim 1 further comprising causing said new temporary policy to expire when at least one of:
    - a first period of time expires; and
      
      when the client computer has not initiated any subsequent data transmissions for a second period of time.
  - 20. The method of claim 17 further comprising storing a client security program installation image on said gateway node, said installation image comprising codes for installing the client security program on the client computer.

21. A non-transitory computer readable medium encoded with codes for directing a processor circuit to:
- receive a data transmission from the client computer on the network, said data transmission including status information associated with a configuration and operational status of said client computer, the status information including hashed representations of client computer configuration and operational status data, the status information including a plurality of information comprising;
  
  an indication of whether a client security program is running on the client computer;
  
  version information associated with the client security program installed on the client computer;
  
  configuration information associated with the client security information installed on the client computer; and
  
  version information associated with an intrusion protection system (IPS) signature database stored on the client computer;
  
  determine a temporary policy for the client computer is active, permitting said data transmission to continue;
  
  when a temporary policy for the client computer does not exist, generating a new temporary policy for the client computer and permit said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values, said new temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information included in said subsequent data transmissions, while said new temporary policy exists; and
  
  wherein;
  
  the data transmission includes a request; and
  
  permitting the data transmission to continue includes forwarding the data transmission for processing of the request.
- View Dependent Claims (22)
- - 22. The non-transitory computer readable medium of claim 21 wherein said codes are encoded on a Compact Disk Read-only Memory (CD ROM).

23. A gateway node apparatus for enforcing a policy on a client computer, the gateway node apparatus and the client computer being in communication with a first network, the gateway node apparatus comprising:
- an interface operable to receive a data transmission from the client computer, said data transmission including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data, the status information including a plurality of information comprising;
  
  an indication of whether a client security program is running on the client computer;
  
  version information associated with the client security program installed on the client computer;
  
  configuration information associated with the client security information installed on the client computer; and
  
  version information associated with an intrusion protection system (IPS) signature database stored on the client computer;
  
  a processor circuit;
  
  at least one computer readable medium with codes stored thereon, the codes for directing said processor circuit to;
  
  determine a temporary policy for the client computer is active and permit said data transmission to continue;
  
  determine a temporary policy for the client computer does not exist and generate a new temporary policy for the client computer and permit said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values, said new temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information included in said subsequent data transmissions, while said new temporary policy exists; and
  
  wherein;
  
  the data transmission includes a request; and
  
  permitting the data transmission to continue includes forwarding the data transmission for processing of the request.
- View Dependent Claims (24, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34, 35, 36, 37, 38, 39, 40, 41, 42)
- - 24. The apparatus of claim 23 wherein said computer readable medium further comprises codes for directing the processor circuit to prevent said data transmission from continuing when said data transmission does not include status information.
  - 25. The apparatus of claim 23 wherein said computer readable medium further comprises codes for directing the processor circuit to authenticate a user of the client computer before permitting said data transmission to continue.
  - 26. The apparatus of claim 23 wherein said computer readable medium further comprises codes for directing the processor circuit to cause an action to be taken when said status information does not meet said criterion.
  - 27. The apparatus of claim 26 wherein said computer readable medium further comprises codes for directing the processor circuit to cause an entry to be made in a log.
  - 28. The apparatus of claim 26 wherein said computer readable medium further comprises codes for directing the processor circuit to cause an alert to be issued.
  - 29. The apparatus of claim 28 wherein said alert comprises a message sent to an administrator of the network.
  - 30. The apparatus of claim 26 wherein said computer readable medium further comprises codes for directing the processor circuit to prevent said data transmission from continuing.
  - 31. The apparatus of claim 26 wherein said computer readable medium further comprises codes for directing the processor circuit to send a message to the client computer indicating at least one of:
    - said data transmission has been prevented from continuing;
      
      aspects of said criterion that are not met by said status information; and
      
      a network resource location for downloading data for updating a configuration of the client computer.
  - 32. The apparatus of claim 31 wherein said message indicating said network resource location comprises information indicating at least one of:
    - a location of the client security program image for installing a client security program on said client computer;
      
      a location of a file for updating anti-virus signatures associated with potential computer virus attacks; and
      
      a location of a file for updating intrusion protection system (IPS) signatures associated with potential network intrusions.
  - 33. The apparatus of claim 31 wherein said message indicating aspects of said criterion that are not met by said status information comprises information indicating at least one of:
    - a software license associated with said client security program installed on the client computer is not valid; and
      
      a configuration associated with said client security program fails to meet said criterion.
  - 34. The apparatus of claim 31 wherein said data transmission complies with a Hyper Text Transfer Protocol (HTTP) and wherein said message comprises a HTTP redirect response sent to the client computer redirecting the client computer to a web page.
  - 35. The apparatus of claim 34 wherein said web page comprises at least one link to a network resource location for downloading data for updating a configuration of the client computer.
  - 36. The apparatus of claim 23 wherein said data transmission comprises data complying with one of a hyper text transfer protocol (HTTP), a simple mail transport protocol (SMTP), an internet message access protocol (IMAP), a post office protocol (POP), a telnet protocol, a domain name system (DNS) protocol, a voice over internet protocol (VoIP), a peer-to-peer (P2P) protocol, a dynamic host configuration protocol (DHCP), and a point-to-point (PPP) protocol.
  - 37. The apparatus of claim 23 wherein said criterion comprises at least one criterion set by an administrator of the network.
  - 38. The apparatus of claim 23 wherein the network comprises a first network, said apparatus further comprising a second interface in communication with a second network, said data transmission comprising a data transmission destined for said second network, said computer readable medium further comprising codes for directing the processor circuit to permit said data transmission to said second network when said status information meets said criterion.
  - 39. The apparatus of claim 38 further comprising a table of criteria stored in a memory on said apparatus and wherein said computer readable medium further comprises codes for directing the processor circuit to read said status information and compare at least some of said status information with at least one criterion in said table of criteria and to permit said data transmission to said second network when said at least some of said status information satisfies said at least one criterion.
  - 40. The apparatus of claim 23 wherein said new temporary policy further comprises time information, said time information facilitating a determination of a period of time since said new temporary policy was created.
  - 41. The apparatus of claim 38 wherein said computer readable medium further comprises codes for directing the processor circuit to cause said new temporary policy to expire when at least one of:
    - a first period of time expires; and
      
      when the client computer has not initiated any subsequent data transmissions for a second period of time.
  - 42. The apparatus of claim 38 further comprising a client security program installation image stored in memory on said apparatus, said installation image comprising codes for installing the client security program on the client computer.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
May, Robert Alvin, Wang, Wei, Huang, Tao
Primary Examiner(s)
VOSTAL, ONDREJ C

Application Number

US11/409,401
Publication Number

US 20070250627A1
Time in Patent Office

3,189 Days
Field of Search

709/229, 726/12
US Class Current

709/229
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/56   Computer malware detection ...

G06F 21/606   by securing the transmissio...

G06F 2212/502   using adaptive policy

H04L 12/66   Arrangements for connecting...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 9/40   Network security protocols

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

42 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

42 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links