System, method and computer program product for controlling network communications based on policy compliance
First Claim
Patent Images
1. A computer program product embodied on a non-transitory computer readable storage medium with instructions to:
- receive information over a communication network relating to potential compliancy of at least one subset of computers with one or more policies, wherein the potential compliancy of each of the at least one subset of computers is determined by an instance of a scanner associated with each computer;
wherein the information identifies at least one potentially out of compliance computer of the at least one subset of computers, the information including a network address associated with the potentially out of compliance computer, a description of a behavior associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy, and a severity associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy; and
compile a whitelist utilizing the information; and
send the whitelist to the at least one subset of computers;
wherein a network communication involving the at least one subset of computers is controlled utilizing a respective firewall of the at least one subset of computers such that a two-way quarantining is established in order to isolate out of compliance computers, wherein the network communication involving the at least one subset of computers is capable of being controlled utilizing the whitelist; and
wherein when a computer of the at least one subset of computers is determined to be compliant with the policy, information relating to the computer'"'"'s policy compliance is conditionally reported to a server depending on whether the computer was out of compliance prior to the determination, to preserve at least one of bandwidth and processing resources associated with the server.
9 Assignments
0 Petitions
Accused Products
Abstract
A policy management system, method and computer program product are provided. In use, information is received over a network relating to at least one subset of computers that are at least potentially out of compliance with a policy. Further, such information is sent to a plurality of the computers, utilizing the network. To this end, network communication involving the at least one subset of computers is capable of being controlled utilizing the information.
63 Citations
21 Claims
-
1. A computer program product embodied on a non-transitory computer readable storage medium with instructions to:
-
receive information over a communication network relating to potential compliancy of at least one subset of computers with one or more policies, wherein the potential compliancy of each of the at least one subset of computers is determined by an instance of a scanner associated with each computer; wherein the information identifies at least one potentially out of compliance computer of the at least one subset of computers, the information including a network address associated with the potentially out of compliance computer, a description of a behavior associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy, and a severity associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy; and compile a whitelist utilizing the information; and send the whitelist to the at least one subset of computers; wherein a network communication involving the at least one subset of computers is controlled utilizing a respective firewall of the at least one subset of computers such that a two-way quarantining is established in order to isolate out of compliance computers, wherein the network communication involving the at least one subset of computers is capable of being controlled utilizing the whitelist; and wherein when a computer of the at least one subset of computers is determined to be compliant with the policy, information relating to the computer'"'"'s policy compliance is conditionally reported to a server depending on whether the computer was out of compliance prior to the determination, to preserve at least one of bandwidth and processing resources associated with the server. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19)
-
-
20. A method, comprising:
-
receiving information over a communication network relating to potential compliancy of at least one subset of computers with one or more policies, wherein the potential compliancy of each of the at least one subset of computers is determined by an instance of a scanner associated with each computer; wherein the information identifies at least one potentially out of compliance computer of the at least one subset of computers, the information including a network address associated with the potentially out of compliance computer, a description of a behavior associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy, and a severity associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy; and compiling a whitelist utilizing the information; and sending the whitelist to the at least one subset of computers; wherein a network communication involving the at least one subset of computers is controlled utilizing a respective firewall of the at least one subset of computers such that a two-way quarantining is established in order to isolate out of compliance computers, wherein the network communication involving the at least one subset of computers is capable of being controlled utilizing the whitelist; and wherein when a computer of the at least one subset of computers is determined to be compliant with the policy, information relating to the computer'"'"'s policy compliance is conditionally reported to a server depending on whether the computer was out of compliance prior to the determination to preserve at least one of bandwidth and processing resources associated with the server.
-
-
21. An apparatus, comprising:
-
at least one processor, the at least one processor being configured to perform operations comprising; receiving information over a communication network relating to the potential compliancy of at least one subset of computers with one or more policies, wherein the potential compliancy of each of the at least one subset of computers is determined by an instance of a scanner associated with each computer; wherein the information identifies at least one potentially out of compliance computer of the at least one subset of computers, the information including a network address associated with the potentially out of compliance computer, a description of a behavior associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy, and a severity associated with a violation of the policy that resulted in the at least one subset of computers being potentially out of compliance with the policy; and compiling a whitelist utilizing the information; and sending the whitelist to the at least one subset of computers; wherein a network communication involving the at least one subset of computers is controlled utilizing a respective firewall of the at least one subset of computers such that a two-way quarantining is established in order to isolate out of compliance computers, wherein the network communication involving the at least one subset of computers is capable of being controlled utilizing the whitelist; and wherein when a computer of the at least one subset of computers is determined to be compliant with the policy, information relating to the computer'"'"'s policy compliance is conditionally reported to a server depending on whether the computer was out of compliance prior to the determination to preserve at least one of bandwidth and processing resources associated with the server.
-
Specification