Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

US 9,306,976 B2
Filed: 12/31/2012
Issued: 04/05/2016
Est. Priority Date: 04/21/2006
Status: Active Grant

First Claim

Patent Images

1. A method for client computer policy compliance enforcement, the method comprising:

receiving a data transmission from a client computer on a network, said data transmission received by a gateway node and including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data of at least one program installed on the client computer;

preventing, by the gateway node, said data transmission from continuing when said data transmission does not include status information or fails to meet a criterion;

applying, by the gateway node, a temporary policy for the client computer that permits said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values stored in a memory of the gateway node, said temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information associated with the configuration and operational status of the client computer included in said subsequent data transmissions, while said temporary policy exists; and

wherein;

the gateway node is a network device that enforces at least one policy with regard to client computers communicating over the network;

the data transmission includes a request;

permitting the data transmission to continue includes the gateway node forwarding the data transmission for processing of the request; and

the temporary policy expires when either a first period expires or the client computer has not initiated any subsequent data transmissions within a second period.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and system for enforcing compliance with a policy on a client computer in communication with a network is disclosed. The method involves receiving a data transmission from the client computer on the network. The data transmission includes status information associated with the client computer. The data transmission is permitted to continue when the status information meets a criterion.

81 Citations

View as Search Results

20 Claims

1. A method for client computer policy compliance enforcement, the method comprising:
- receiving a data transmission from a client computer on a network, said data transmission received by a gateway node and including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data of at least one program installed on the client computer;
  
  preventing, by the gateway node, said data transmission from continuing when said data transmission does not include status information or fails to meet a criterion;
  
  applying, by the gateway node, a temporary policy for the client computer that permits said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values stored in a memory of the gateway node, said temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information associated with the configuration and operational status of the client computer included in said subsequent data transmissions, while said temporary policy exists; and
  
  wherein;
  
  the gateway node is a network device that enforces at least one policy with regard to client computers communicating over the network;
  
  the data transmission includes a request;
  
  permitting the data transmission to continue includes the gateway node forwarding the data transmission for processing of the request; and
  
  the temporary policy expires when either a first period expires or the client computer has not initiated any subsequent data transmissions within a second period.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8)
- - 2. The method of claim 1, wherein permitting said data transmission to continue further comprises authenticating a user of the client computer before permitting said data transmission to continue.
  - 3. The method of claim 1, further comprising causing an action to be taken when said status information does not meet said criterion.
  - 4. The method of claim 3, wherein causing said action to be taken comprises causing an entry to be made in a log.
  - 5. The method of claim 3, wherein causing said action to be taken comprises causing an alert to be issued.
  - 6. The method of claim 5, wherein causing said alert to be issued comprises sending a message to an administrator of the network.
  - 7. The method of claim 3, further comprising sending a message to the client computer indicating at least one of:
    - said data transmission has been prevented from continuing;
      
      aspects of said criterion that are not met by said status information; and
      
      a network resource location for downloading data for updating a configuration of the client computer.
  - 8. The method of claim 7, wherein sending said message indicating said network resource location comprises sending a message indicating at least one of:
    - a location of a client security program image for installing client security program on the client computer;
      
      a location of a file for updating anti-virus signatures associated with potential computer virus attacks; and
      
      a location of a file for updating intrusion protection system (IPS) signatures associated with potential network intrusions.

9. A gateway node apparatus for enforcing a policy on a client computer, the gateway node apparatus and the client computer being in communication with a first network, the gateway node apparatus comprising:
- an interface operable to receive a data transmission from the client computer, said data transmission including status information associated with a configuration and operational status of the client computer, the status information including hashed representations of client computer configuration and operational status data of at least one program installed on the client computer;
  
  a processor circuit;
  
  at least one computer readable medium with codes stored thereon, the codes for directing said processor circuit to apply a temporary policy for the client computer that permits said data transmission to continue when said status information meets a criterion as determined through a matching of the hashed representations of the client computer configuration and operational status data with desired hash values, said temporary policy including information identifying the client computer and wherein subsequent data transmissions from the client computer are permitted to continue without reading status information associated with the configuration and operational status of the client computer included in said subsequent data transmissions, while said temporary policy exists; and
  
  wherein;
  
  the data transmission includes a request for a data resource from a server computer;
  
  permitting the data transmission to continue includes forwarding the data transmission for processing of the request; and
  
  the temporary policy expires when either a first period expires or the client computer has not initiated any subsequent data transmissions within a second period.
- View Dependent Claims (10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20)
- - 10. The apparatus of claim 9, wherein said computer readable medium further comprises codes for directing the processor circuit to prevent said data transmission from continuing when said data transmission does not include status information.
  - 11. The apparatus of claim 9, wherein said computer readable medium further comprises codes for directing the processor circuit to authenticate a user of the client computer before permitting said data transmission to continue.
  - 12. The apparatus of claim 9, wherein said computer readable medium further comprises codes for directing the processor circuit to cause an action to be taken when said status information does not meet said criterion.
  - 13. The apparatus of claim 12, wherein said computer readable medium further comprises codes for directing the processor circuit to cause an entry to be made in a log.
  - 14. The apparatus of claim 12, wherein said computer readable medium further comprises codes for directing the processor circuit to cause an alert to be issued.
  - 15. The apparatus of claim 14 wherein said alert comprises a message sent to an administrator of the network.
  - 16. The apparatus of claim 12, wherein said computer readable medium further comprises codes for directing the processor circuit to prevent said data transmission from continuing.
  - 17. The apparatus of claim 12, wherein said computer readable medium further comprises codes for directing the processor circuit to send a message to the client computer indicating at least one of:
    - said data transmission has been prevented from continuing;
      
      aspects of said criterion that are not met by said status information; and
      
      a network resource location for downloading data for updating a configuration of the client computer.
  - 18. The apparatus of claim 17, wherein said message indicating said network resource location comprises information indicating at least one of:
    - a location of a client security program image for installing a client security program on said client computer;
      
      a location of a file for updating anti-virus signatures associated with potential computer virus attacks; and
      
      a location of a file for updating intrusion protection system (IPS) signatures associated with potential network intrusions.
  - 19. The apparatus of claim 17, wherein said message indicating aspects of said criterion that are not met by said status information comprises information indicating at least one of:
    - a software license associated with said client security program installed on the client computer is not valid; and
      
      a configuration associated with said client security program fails to meet said criterion.
  - 20. The apparatus of claim 17, wherein said data transmission complies with a Hyper Text Transfer Protocol (HTTP) and wherein said message comprises a HTTP redirect response sent to the client computer redirecting the client computer to a web page.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Fortinet Inc.
Original Assignee
Fortinet Inc.
Inventors
May, Robert Alvin, Wang, Wei, Huang, Tao
Primary Examiner(s)
Vostal, O. C.

Application Number

US13/731,474
Publication Number

US 20130185762A1
Time in Patent Office

1,191 Days
Field of Search

726/1, 707/102, 707/999.102, 709/220, 709/229
US Class Current

1/1
CPC Class Codes

G06F 15/16   Combinations of two or more...

G06F 21/56   Computer malware detection ...

G06F 21/606   by securing the transmissio...

G06F 2212/502   using adaptive policy

H04L 12/66   Arrangements for connecting...

H04L 41/0893   Assignment of logical group...

H04L 41/0894   Policy-based network config...

H04L 63/0227   Filtering policies mail mes...

H04L 63/102   Entity profiles

H04L 63/108   when the policy decisions a...

H04L 63/20   for managing network securi...

H04L 63/205   involving negotiation or de...

H04L 67/02   based on web technology, e....

H04L 9/40   Network security protocols

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

81 Citations

20 Claims

Specification

Solutions

Use Cases

Quick Links

Method, apparatus, signals and medium for enforcing compliance with a policy on a client computer

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

81 Citations

20 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links