Network security based on device identifiers and network addresses

US 10,382,436 B2
Filed: 11/22/2016
Issued: 08/13/2019
Est. Priority Date: 11/22/2016
Status: Active Grant

First Claim

Patent Images

1. A computing system for controlling communication in a computer network managed by an organization, comprising:

a processor; and

a memory that stores instructions that are configured, when executed by the processor, to evaluate a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by;

determining whether the source network address is included in a list of trusted network addresses;

when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network;

when the source network address is included in the list of trusted network addresses,receiving data representing a non-modifiable device identifier of the first computing device;

determining whether the device identifier is included in a list of trusted device identifiers; and

when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network;

receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;

determining a first communication property that is associated with the network communication;

determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address;

evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;

in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication;

in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and

randomly auditing packets received at a network interface by;

randomly selecting a first packet;

determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized;

allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier;

randomly selecting a second packet received after the multiple packets;

determining whether the source network address and the non-modifiable device identifier are both authorized; and

determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized,wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of the source network address and non-modifiable device identifier.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Techniques for network security are disclosed. In some implementations, an evaluation module determines whether a network communication from a computing device is allowable. The allowability of the communication is determined based on (1) whether the computing device is using an authorized source network address, and (2) whether a non-modifiable identifier of the computing device is authorized. The non-modifiable identifier is a fixed hardware identifier of the computing device, such as an identifier of a CPU, network interface card, storage device, or the like.

123 Citations

16 Claims

1. A computing system for controlling communication in a computer network managed by an organization, comprising:
- a processor; and
  
  a memory that stores instructions that are configured, when executed by the processor, to evaluate a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by;
  
  determining whether the source network address is included in a list of trusted network addresses;
  
  when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network;
  
  when the source network address is included in the list of trusted network addresses,receiving data representing a non-modifiable device identifier of the first computing device;
  
  determining whether the device identifier is included in a list of trusted device identifiers; and
  
  when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network;
  
  receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address;
  
  evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;
  
  in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication;
  
  in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and
  
  randomly auditing packets received at a network interface by;
  
  randomly selecting a first packet;
  
  determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized;
  
  allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier;
  
  randomly selecting a second packet received after the multiple packets;
  
  determining whether the source network address and the non-modifiable device identifier are both authorized; and
  
  determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized,wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of the source network address and non-modifiable device identifier.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The computing system of claim 1, wherein the instructions are further configured to:
    - when the device identifier is not included in the list of trusted device identifiers, allow the network communication on the first network only when the first network is a guest network managed by the organization.
  - 3. The computing system of claim 2, wherein the guest network is a guest wireless network managed by the organization.
  - 4. The computing system of claim 1, wherein the first computing device is communicating from a network not managed by the organization, and wherein the instructions are further configured to:
    - allow the network communication only when (1) the source network address is included in the list of trusted network addresses, and (2) the when the device identifier is included in the list of trusted device identifiers.
  - 5. The computing system of claim 4, wherein the network not managed by the organization is the Internet.
  - 6. The computing system of claim 1, wherein the first computing device is configured to disallow any modification of device hardware or software, and wherein the non-modifiable device identifier is at least one of a CPU identifier, a device serial number, a mother board identifier, a network interface card identifiers, MAC address, a video card identifier, a storage device identifier, or an input/output device identifier.
  - 7. The computing system of claim 6, wherein the trusted code disallows any modification of the device hardware and software.
  - 8. The computing system of claim 6, wherein the first computing device disables user access to BIOS code stored and executed by the first computing device.
  - 9. The computing system of claim 6, wherein receiving data representing a non-modifiable device identifier of the first computing device includes receiving data that has been encrypted and digitally signed using a private key stored by the first device.
  - 10. The computing system of claim 1, wherein the instructions are further configured to:
    - when the source network address is included in the list of trusted network addresses,transmit a request to the first device to provide its non-modifiable device identifier; and
      
      receive the non-modifiable device identifier from the first device.
  - 11. The computing system of claim 1, wherein the instructions are further configured to:
    - determine that a first packet that is transmitted by the first device is associated with an authorized network address and an authorized non-modifiable device identifier;
      
      allow multiple packets received from the first device subsequent to the first packet, wherein the multiple packets are allowed based on source network addresses and without any evaluation of non-modifiable device identifiers; and
      
      after passage of a determined time interval or number of packets, require the first device to again provide its non-modifiable device identifier to authorize further communication.

12. A method for controlling communication in a computer network managed by an organization, the method comprising:
- evaluating a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by;
  
  determining whether the source network address is included in a list of trusted network addresses;
  
  when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network;
  
  when the source network address is included in the list of trusted network addresses,receiving data representing a non-modifiable device identifier of the first computing device;
  
  determining whether the device identifier is included in a list of trusted device identifiers; and
  
  when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network;
  
  receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address;
  
  evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;
  
  in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication;
  
  in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication;
  
  determining that a first packet that is transmitted by the first device is associated with an authorized network address and an authorized non-modifiable device identifier;
  
  allowing multiple packets received from the first device subsequent to the first packet, wherein the multiple packets are allowed based on source network addresses and without any evaluation of non-modifiable device identifiers; and
  
  after passage of a determined time interval or a determined number of packets, requiring the first device to again provide its non-modifiable device identifier to authorize further communication,wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of hardware identifiers of the first computing device including the non-modifiable device identifier.
- View Dependent Claims (13, 14, 15)
- - 13. The method of claim 12, further comprising:
    - when the device identifier is not included in the list of trusted device identifiers, allowing the network communication on the first network only when the first network is a guest network managed by the organization, wherein the guest network is a guest wireless network managed by the organization.
  - 14. The method of claim 12, wherein the first computing device is communicating from a network not managed by the organization, and further comprising:
    - allowing the network communication only when (1) the source network address is included in the list of trusted network addresses, and (2) the when the device identifier is included in the list of trusted device identifiers.
  - 15. The method of claim 12,wherein the first computing device is configured to disallow any modification of device hardware or software;
    - wherein the non-modifiable device identifier is at least one of a CPU identifier, a device serial number, a mother board identifier, a network interface card identifiers, MAC address, a video card identifier, a storage device identifier, or an input/output device identifier;
      
      wherein the first computing device disables user access to BIOS code stored and executed by the first computing device;
      
      wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code; and
      
      wherein the trusted code disallows any modification of the device hardware and software.

16. A non-transitory computer-readable medium that stores instructions that are configured, when executed by a computer processor, to perform a method for controlling communication in a computer network managed by an organization, the method comprising:
- evaluating a network communication from a first computing device, wherein the first computing device is connected to a first network and uses a source network address, by;
  
  determining whether the source network address is included in a list of trusted network addresses;
  
  when the source network address is not included in the list of trusted network addresses, disallowing the network communication on the first network;
  
  when the source network address is included in the list of trusted network addresses,receiving data representing a non-modifiable device identifier of the first computing device;
  
  determining whether the device identifier is included in a list of trusted device identifiers; and
  
  when the device identifier is included in the list of trusted device identifiers, allowing the network communication on the first network;
  
  receiving an indication of a white list of trusted network addresses that includes, for each of the trusted network addresses, one or more indications of allowable communication properties;
  
  determining a first communication property that is associated with the network communication;
  
  determining a second communication property that is an allowable communication property specified by an entry in the white list that corresponds to the source network address;
  
  evaluating the network communication with respect to the white list, by determining whether or not the first communication property is encompassed by the second communication property;
  
  in response to determining that the first communication property is not encompassed by the second communication property, disallowing the network communication; and
  
  in response to determining that the first communication property is encompassed by the second communication property, allowing the network communication; and
  
  randomly audits packets received at a network interface by;
  
  randomly selecting a first packet;
  
  determining whether the source network address and the non-modifiable device identifier associated with the first packet are both authorized;
  
  allowing multiple packets received from the first device subsequent to the first packet without verifying a non-modifiable device identifier;
  
  randomly selecting a second packet received after the multiple packets;
  
  determining whether the source network address and the non-modifiable device identifier are both authorized; and
  
  determining whether the source network address and the non-modifiable device identifier associated with the second packet are both authorized,wherein the first computing device is configured to execute a secure boot process that loads and executes only trusted code, wherein the trusted code disallows any modification of hardware identifiers of the first computing device including the non-modifiable device identifier.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Daniel Chien
Original Assignee
Daniel Chien
Inventors
Chien, Daniel
Primary Examiner(s)
Zarrineh, Shahriar

Application Number

US15/359,542
Publication Number

US 20180146001A1
Time in Patent Office

994 Days
Field of Search

713171
US Class Current
CPC Class Codes

G06F 21/44   Program or device authentic...

G06F 21/572   Secure firmware programming...

G06F 21/575   Secure boot

H04L 45/72   Routing based on the source...

H04L 45/745   Address table lookup; Addre...

H04L 63/0236   Filtering by address, proto...

H04L 63/0435   wherein the sending and rec...

H04L 63/06   for supporting key manageme...

H04L 63/061   for key exchange, e.g. in p...

H04L 63/0876   based on the identity of th...

H04L 63/1433   Vulnerability analysis

H04L 9/3247   involving digital signatures

Network security based on device identifiers and network addresses

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

123 Citations

16 Claims

Specification

Solutions

Use Cases

Quick Links

Network security based on device identifiers and network addresses

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

123 Citations

16 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links