Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

US 9,003,484 B2
Filed: 05/22/2014
Issued: 04/07/2015
Est. Priority Date: 04/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for enforcing compliance with a policy on a client device that communicate over a network, the method comprising:

receiving a data transmission from the client device on the network, the data transmission including a request and status information representative of at least one property of the client device, the at least one property including a property of at least one program installed on the client computer;

identifying a policy applicable to the data transmission based on an identity of the client device;

permitting the data transmission to continue when the status information meets policy criterion of the identified policy as determined through a matching of the status information with desired values defined in the identified policy; and

permitting subsequently received data transmissions from the client device to continue without reading status information included in the subsequent data transmissions;

wherein;

permitting the data transmission to continue includes forwarding the data transmission for processing of the request;

when the identifying of a policy applicable to the data transmission does not identify a policy applicable to the data transmission;

determining whether a least some of the status information included in the data transmission meets at least one criterion in a table of criterion stored on a network device implementing the method; and

when the at least some of the status information included in the data transmission meets the at least one criterion in the table of criterion, generating a temporary policy for the client device and storing a representation of the temporary policy on the network device implementing the method.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion.

66 Citations

View as Search Results

16 Claims

1. A method for enforcing compliance with a policy on a client device that communicate over a network, the method comprising:
- receiving a data transmission from the client device on the network, the data transmission including a request and status information representative of at least one property of the client device, the at least one property including a property of at least one program installed on the client computer;
  
  identifying a policy applicable to the data transmission based on an identity of the client device;
  
  permitting the data transmission to continue when the status information meets policy criterion of the identified policy as determined through a matching of the status information with desired values defined in the identified policy; and
  
  permitting subsequently received data transmissions from the client device to continue without reading status information included in the subsequent data transmissions;
  
  wherein;
  
  permitting the data transmission to continue includes forwarding the data transmission for processing of the request;
  
  when the identifying of a policy applicable to the data transmission does not identify a policy applicable to the data transmission;
  
  determining whether a least some of the status information included in the data transmission meets at least one criterion in a table of criterion stored on a network device implementing the method; and
  
  when the at least some of the status information included in the data transmission meets the at least one criterion in the table of criterion, generating a temporary policy for the client device and storing a representation of the temporary policy on the network device implementing the method.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9)
- - 2. The method of claim 1, wherein the at least one property of the client device includes data representative of at least one of:
    - an indication of whether a particular process or program is executing on the client device;
      
      version information associated with the particular process or program on the client device;
      
      configuration information associated with the particular process or program on the client device; and
      
      version information associated with an signature database stored on the client device.
  - 3. The method of claim 2, wherein the at least one property of the client device includes at least two properties.
  - 4. The method of claim 1, wherein the identity of the client device is included in the data transmission and subsequent data transmissions as a client device identifier.
  - 5. The method of claim 1, wherein generating the temporary policy for the client device includes setting an active period for the temporary policy after which the temporary policy expires.
  - 6. The method of claim 5, further comprising:
    - preventing the data transmission from continuing when;
      
      the data transmission does not include status information;
      
      a policy does not exist for the client device from which the data transmission is received and the status information does not include status information that meets the at least one criterion in the table of criterion; and
      
      when a temporary policy exists for the client device but has expired.
  - 7. The method of claim 1, wherein permitting the data transmission to continue further includes authenticating a user of the client device before permitting the data transmission to continue.
  - 8. The method of claim 1, further comprising:
    - causing an action to be taken when the status information does not meet the criterion.
  - 9. The method of claim 8, further comprising:
    - transmitting a message to the client device indicating at least one of;
      
      the data transmission has been prevented from continuing;
      
      aspects of the criterion that are not met by the status information; and
      
      information for updating a configuration of the client device to conform to the criterion.

10. A non-transitory device-readable medium, with instructions stored thereon, which when executed by at least one processor of a network device cause the device to:
- receive a data transmission by the network device from a client device on a network, the data transmission including a request and status information representative of at least one property of the client device, the at least one property including a property of at least one program installed on the client computer;
  
  identify a policy applicable to the data transmission based on an identity of the client device, the policy stored on the network device;
  
  permitting the data transmission to continue from the network device on the network when the status information meets policy criterion of the identified policy as determined through a matching of the status information with desired values defined in the identified policy; and
  
  permit subsequently received data transmissions from the client device to continue from the network device without reading status information included in the subsequent data transmissions;
  
  wherein;
  
  permitting the data transmission to continue includes forwarding the data transmission from the network device as specified in the data transmission for processing of the request; and
  
  when the identifying of a policy applicable to the data transmission does not identify a policy applicable to the data transmission;
  
  determine whether a least some of the status information included in the data transmission meets at least one criterion in a table of criterion stored on the network device; and
  
  when the at least some of the status information included in the data transmission meets the at least one criterion in the table of criterion, generate a temporary policy for the client device and storing a representation of the temporary policy on the network device.
- View Dependent Claims (11, 12, 13, 14)
- - 11. The non-transitory device-readable medium of claim 10, wherein the at least one property of the client device includes data representative of at least one of:
    - an indication of whether a particular process or program is executing on the client device;
      
      version information associated with the particular process or program on the client device;
      
      configuration information associated with the particular process or program on the client device; and
      
      version information associated with an signature database stored on the client device.
  - 12. The non-transitory device-readable medium of claim 11, wherein the at least one property of the client device includes at least two properties and a client device identifier.
  - 13. The non-transitory device-readable medium of claim 10, wherein generating the temporary policy for the client device includes setting an active period for the temporary policy after which the temporary policy expires, the instructions are further executable to cause the device to:
    - prevent the data transmission from continuing when;
      
      the data transmission does not include status information;
      
      a policy does not exist for the client device from which the data transmission is received and the status information does not include status information that meets the at least one criterion in the table of criterion; and
      
      when a temporary policy exists for the client device but has expired.
  - 14. The non-transitory device-readable medium of claim 10, the instructions are further executable to cause the device to:
    - cause an action to be taken when the status information does not meet the criterion; and
      
      transmit a message to the client device indicating at least one of;
      
      the data transmission has been prevented from continuing;
      
      aspects of the criterion that are not met by the status information; and
      
      information for updating a configuration of the client device to conform to the criterion.

15. A network switching apparatus including functionality for enforcing a policy on a client device when the network switching apparatus and the client device are in communication via a first network, the network switching apparatus comprising:
- a network interface device to receive a data transmission from the client device, the data transmission including a request and status information representative of at least one property of the client device, the at least one property including a property of at least one program installed on the client computer;
  
  a processor circuit;
  
  at least one non-transitory device readable medium with instructions stored thereon, the instructions executable by the processor circuit to;
  
  identify a policy applicable to the data transmission based on an identity of the client device, the policy stored on the network switching apparatus;
  
  permit the data transmission to continue from the network switching apparatus on the network when the status information meets policy criterion of the identified policy as determined through a matching of the status information with desired values defined in the identified policy; and
  
  permit subsequently received data transmissions from the client device to continue from the network switching apparatus without reading status information included in the subsequent data transmissions;
  
  wherein;
  
  permitting the data transmission to continue includes forwarding the data transmission from the network switching apparatus as specified in the data transmission for processing of the request; and
  
  when the identifying of a policy applicable to the data transmission does not identify a policy applicable to the data transmission;
  
  determine whether at least some of the status information included in the data transmission meets at least one criterion in a table of criterion stored on the network switching apparatus; and
  
  when the at least some of the status information included in the data transmission meets the at least one criterion in the table of criterion, generate a temporary policy for the client device and storing a representation of the temporary policy on the network switching apparatus.
- View Dependent Claims (16)
- - 16. The network switching apparatus of claim 15, wherein the at least one property of the client device includes data representative of at least one of:
    - an indication of whether a particular process or program is executing on the client device;
      
      version information associated with the particular process or program on the client device;
      
      configuration information associated with the particular process or program on the client device; and
      
      version information associated with an signature database stored on the client device.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
May, Robert Alvin, Wang, Wei, Huang, Tao
Primary Examiner(s)
Lewis, Lisa
Assistant Examiner(s)
LWIN, MAUNG T

Application Number

US14/284,914
Publication Number

US 20140259098A1
Time in Patent Office

320 Days
Field of Search

None
US Class Current

726/1
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/56   Computer malware detection ...

G06F 21/606   by securing the transmissio...

G06F 2212/502   using adaptive policy

H04L 12/66   Arrangements for connecting...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 9/40   Network security protocols

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

66 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

66 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links