Method and apparatus for network assessment and authentication

US 7,162,649 B1
Filed: 06/30/2000
Issued: 01/09/2007
Est. Priority Date: 06/30/2000
Status: Expired due to Fees

First Claim

Patent Images

1. A computer-implemented process for authenticating a workstation requesting a network service from a network server via a computer network, comprising the steps:

completing a vulnerability assessment of the workstation to identify security vulnerabilities that would compromise the secure operation of the workstation on the computer network;

generating workstation security credentials based on the vulnerability assessment, the workstation security credentials comprising one of integrity information describing whether the workstation has been compromised, and security posture information describing the workstation'"'"'s potential for compromise, wherein the step of generating the workstation security credentials comprises completing the vulnerability assessment of the workstation by a local workstation assessment service maintained on the workstation, the local workstation assessment service operative to generate the workstation security credentials;

comparing the workstation security credentials to a workstation security policy to determine whether the workstation should be granted access to the network service; and

authorizing access to the network service by the workstation if the workstation security credentials satisfy the workstation security policy, otherwise denying access to the network service by the workstation.

View all claims

2 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Providing a user with assurance that a networked computer is secure, typically before completion of the log-in operation. This can be accomplished by extending the local log-in process to perform a host assessment of the workstation prior to requesting the user'"'"'s credentials. If the assessment finds a vulnerability, the log-in process can inform the user that the machine is or may be compromised, or repair the vulnerability, prior to completion of the log-in operation. By performing vulnerability assessment at the level of the workstation, a network server is able to determine whether the workstation is a “trusted” platform from which to accept authentication requests. If the vulnerability assessment shows that the workstation is compromised, or if the possibility of remote compromise is high, the network server can elect to fail the authentication on the grounds that the workstation cannot be trusted. Optionally, a vulnerability assessment tool may be able to repair the vulnerability of the workstation, and then allow the authentication to proceed.

360 Citations

16 Claims

1. A computer-implemented process for authenticating a workstation requesting a network service from a network server via a computer network, comprising the steps:
- completing a vulnerability assessment of the workstation to identify security vulnerabilities that would compromise the secure operation of the workstation on the computer network;
  
  generating workstation security credentials based on the vulnerability assessment, the workstation security credentials comprising one of integrity information describing whether the workstation has been compromised, and security posture information describing the workstation'"'"'s potential for compromise, wherein the step of generating the workstation security credentials comprises completing the vulnerability assessment of the workstation by a local workstation assessment service maintained on the workstation, the local workstation assessment service operative to generate the workstation security credentials;
  
  comparing the workstation security credentials to a workstation security policy to determine whether the workstation should be granted access to the network service; and
  
  authorizing access to the network service by the workstation if the workstation security credentials satisfy the workstation security policy, otherwise denying access to the network service by the workstation.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14)
- - 2. The computer-implemented process recited by claim 1 further comprising the step of authorizing access to a predetermined level of the network service if the workstation security credentials satisfy a portion of the workstation security policy.
  - 3. The computer-implemented process recited by claim 1, wherein the workstation security policy is maintained on the workstation, the process further comprising the step of providing the workstation security credentials from the local workstation assessment service to the workstation security policy.
  - 4. The computer-implemented process recited by claim 1 further comprising the step of communicating a service decision from the network server to the workstation via the computer network, the service decision defining whether the workstation is allowed to access the network service or a degraded form of the network service.
  - 5. The computer-implemented process recited by claim 1, wherein the workstation security policy is maintained on the network server, the process further comprising the step of comparing at the network server the workstation security credentials to the workstation security policy to determine whether the workstation should be granted access to the network service or a degraded form of the network service.
  - 6. The computer-implemented process recited by claim 1, wherein the workstation security policy is operative to define security requirements for secure operation of the workstation on the computer network.
  - 7. The computer-implemented process recited by claim 6, wherein the network service is further operative for comparing the workstation security credentials to the workstation security policy to determine whether the workstation should be granted access to a software service, the network service operative to authorize access to the software service by the workstation if the workstation security credentials satisfy the workstation security policy.
  - 8. The computer-implemented process recited by claim 1, further comprising:
    - running a network client on the workstation; and
      
      retrieving the workstation credentials from the local workstation assessment service with the network client.
  - 9. The computer-implemented process recited by claim 1, further comprising:
    - running a network client on the workstation;
      
      retrieving the workstation credentials from the local workstation assessment service with the network client; and
      
      obtaining user credentials with the network client.
  - 10. The computer-implemented process recited by claim 1, further comprising:
    - running a network client on the workstation; and
      
      obtaining user credentials with the network client from a user credential database.
  - 11. The computer-implemented process recited by claim 1, further comprising:
    - retrieving the workstation credentials from the local workstation assessment service with a network client residing on the workstation; and
      
      obtaining user credentials with the network client from a user credential database.
  - 12. The computer-implemented process recited by claim 1, further comprising:
    - retrieving the workstation credentials from the local workstation assessment service with a network client; and
      
      transmitting the workstation credentials over the computer network with the network client.
  - 13. The computer-implemented process recited by claim 1, further comprising:
    - obtaining user credentials with the network client; and
      
      transmitting the user credentials over the computer network with the network client.
  - 14. The computer-implemented process recited by claim 1, further comprising:
    - obtaining user credentials with a network client;
      
      retrieving the workstation credentials from the local workstation assessment service with the network client;
      
      transmitting the user and workstation credentials over the computer network with the network client.

15. A computer-implemented process for authenticating a workstation requesting a network service from a network server via a computer network, comprising the steps:
- completing a vulnerability assessment of the workstation to identify security vulnerabilities that would compromise the secure operation of the workstation on the computer network;
  
  generating workstation security credentials based on the vulnerability assessment, the workstation security credentials comprising one of integrity information describing whether the workstation has been compromised, and security posture information describing the workstation'"'"'s potential for compromise, wherein the step of generating the workstation security credentials comprises completing the vulnerability assessment of the workstation by a network workstation assessment service maintained on the network server, the network workstation assessment service operative to generate the workstation security credentials, wherein the workstation security policy is maintained on the workstation,providing the workstation security credentials from the network workstation assessment service to the workstation security policy on the workstation via the computer network;
  
  comparing the workstation security credentials to a workstation security policy to determine whether the workstation should be granted access to the network service; and
  
  authorizing access to the network service by the workstation if the workstation security credentials satisfy the workstation security policy, otherwise denying access to the network service by the workstation.
- View Dependent Claims (16)
- - 16. The computer-implemented process recited by claim 15 further comprising the step of authorizing access to a predetermined level of the network service if the workstation security credentials satisfy a portion of the workstation security policy.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
International Business Machines Corporation
Original Assignee
Internet Security Systems Incorporated (International Business Machines Corporation)
Inventors
Ide, Curtis E., Brass, Philip C., Doty, Theodore R.
Primary Examiner(s)
Sheikh; Ayaz
Assistant Examiner(s)
JACKSON, JENISE E

Application Number

US09/607,375
Time in Patent Office

2,384 Days
Field of Search

713200-202, 713155-156, 713/161, 713/173, 713/182, 713/159, 709/217, 709/219, 709/220, 709223-229
US Class Current

713/165
CPC Class Codes

G06F 21/31   User authentication

G06F 21/577   Assessing vulnerabilities a...

G06F 2211/009   Trust

G06F 2221/2113   Multi-level security, e.g. ...

H04L 63/08   for authentication of entit...

H04L 63/102   Entity profiles

H04L 63/1433   Vulnerability analysis

H04L 63/20   for managing network securi...

Method and apparatus for network assessment and authentication

First Claim

2 Assignments

0 Petitions

Accused Products

Abstract

360 Citations

16 Claims

Specification

Use Cases

Quick Links

Others

Method and apparatus for network assessment and authentication

First Claim

2 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

360 Citations

16 Claims

Specification

Subscription Required

Use Cases

Quick Links

Others