Isolation approach for network users associated with elevated risk

US 7,607,021 B2
Filed: 03/09/2004
Issued: 10/20/2009
Est. Priority Date: 03/09/2004
Status: Active Grant

First Claim

Patent Images

1. A method, comprising the computer-implemented steps of:

in a security controller that is coupled, through a network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;

determining a user identifier associated with the network device that has caused a security event in the network;

in response to the security event, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;

wherein the security event is an event that indicates at least one of;

a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;

wherein the second subset of addresses is different from the first subset of addresses; and

configuring one or more security restrictions with respect to the second network address.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

An isolation approach for network users associated with elevated risk is disclosed for protecting networks. In one approach a method comprises the computer-implemented steps of determining a user identifier associated with a network device that has caused a security event in a network; causing the network device to receive a network address that is selected from a subset of addresses within a specified pool associated with suspected malicious network users; and configuring one or more security restrictions with respect to the selected network address.

Citations

47 Claims

1. A method, comprising the computer-implemented steps of:
- in a security controller that is coupled, through a network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;
  
  determining a user identifier associated with the network device that has caused a security event in the network;
  
  in response to the security event, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;
  
  wherein the security event is an event that indicates at least one of;
  
  a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;
  
  wherein the second subset of addresses is different from the first subset of addresses; and
  
  configuring one or more security restrictions with respect to the second network address.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 23)
- - 2. A method as recited in claim 1, further comprising the steps of:
    - receiving information identifying the security event in the network;
      
      correlating the security event information with network user information to result in determining the user identifier associated with the network device.
  - 3. A method as recited in claim 1, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the step of causing the network device to acquire the second network address comprises waiting for expiration of a lease for a current network address of the network device.
  - 4. A method as recited in claim 1, wherein the step of causing the network device to acquire the second network address comprises the step of providing the network device with an IP address that is selected from a plurality of IP addresses within a special IP subnet.
  - 5. A method as recited in claim 4, further comprising the step of publishing information describing characteristics of the special IP subnet to network service providers.
  - 6. A method as recited in claim 1, wherein the step of configuring security restrictions comprises the steps of modifying an internet protocol (IP) access control list (ACL) associated with a port that is coupled to the network device to permit entry of IP traffic from only the second network address.
  - 7. A method as recited in claim 1, wherein the step of configuring security restrictions comprises the steps of modifying a media access control (MAC) ACL associated with a port that is coupled to the network device to permit entry of traffic only for a MAC address that is bound to the second network address.
  - 8. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, and if so, providing information about the security event or malicious act to a security decision controller.
  - 9. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, and if not, removing the user from the second specified pool.
  - 10. A method as recited in claim 1, further comprising the steps of determining whether a malicious act caused the security event, wherein a legal user action in the network is not determined to be a malicious act if the user is associated with a trusted customer of a network service provider.
  - 23. The method of claim 1, wherein causing the network device to acquire a second network address comprises performing an action that causes the network device to request a new network address.

11. A computer-readable storage medium carrying one or more sequences of instructions, which instructions, when executed by one or more processors, cause the one or more processors to carry out the steps of:
- in a security controller that is coupled, though a network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;
  
  determining a user identifier associated with the network device that has caused a security event in the network;
  
  in response to the security event, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;
  
  wherein the security event is an event that indicates at least one of;
  
  a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;
  
  wherein the second subset of addresses is different from the first subset of addresses; and
  
  configuring one or more security restrictions with respect to the second network address.
- View Dependent Claims (17, 18, 19)
- - 17. The computer-readable storage medium of claim 11, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the instructions which, when executed, cause the network device to acquire the second network address comprise instructions which when executed cause resetting a port that is coupled to the network device to prompt a user to command the network device to request a new network address using DHCP.
  - 18. The computer-readable storage medium of claim 11, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the instructions which when executed cause the network device to acquire the second network address comprise instructions which when executed cause issuing a DHCP FORCE_RENEW message to the network device.
  - 19. The computer-readable storage medium of claim 11, wherein instructions which when executed cause the network device to acquire a second network address comprise instructions which when executed cause providing the network device with an IP address that is selected from a plurality of IP addresses within a special IP subnet.

12. An apparatus, comprising:
- in a security controller that is coupled, though a network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;
  
  means for determining a user identifier associated with the network device that has caused a security event in the network;
  
  means for, in response to the security event, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;
  
  wherein the security event is an event that indicates at least one of;
  
  a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;
  
  wherein the second subset of addresses is different from the first subset of addresses; and
  
  means for configuring one or more security restrictions with respect to the second network address.
- View Dependent Claims (20, 21, 22, 35, 36, 37, 38, 39, 40, 41, 42, 43, 44)
- - 20. The apparatus of claim 12, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the means for causing the network device to acquire the second network address comprise means for resetting a port that is coupled to the network device to prompt a user to command the network device to request a new network address using DHCP.
  - 21. The apparatus of claim 12, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the means for causing the network device to acquire the second network address comprise means for issuing a DHCP FORCE_RENEW message to the network device.
  - 22. The apparatus of claim 12, wherein the means for causing the network device to acquire a new network address comprise means for providing the network device with an IP address that is selected from a plurality of IP addresses within a special IP subnet.
  - 35. The apparatus as recited in claim 12, further comprising:
    - means for receiving information identifying the security event in the network; and
      
      means for correlating the security event information with network user information to result in determining the user identifier associated with the network device.
  - 36. The apparatus as recited in claim 12, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the means for causing the network device to acquire the second network address comprises means for prompting the network device to request a new network address using DHCP.
  - 37. The apparatus as recited in claim 12, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the means for causing the network device to acquire the second network address comprises waiting for expiration of a lease for a current network address of the network device.
  - 38. The apparatus as recited in claim 22, further comprising:
    - means for publishing information describing characteristics of the special IP subnet to network service providers.
  - 39. The apparatus as recited in claim 12, wherein the means for configuring security restrictions comprises means for modifying an internet protocol (IP) access control list (ACL) associated with a port that is coupled to the network device to permit entry of IP traffic from only the second network address.
  - 40. The apparatus as recited in claim 12, wherein the means for configuring security restrictions comprises means for modifying a media access control (MAC) ACL associated with a port that is coupled to the network device to permit entry of traffic only for a MAC address that is bound to the second network address.
  - 41. The apparatus as recited in claim 12, further comprising:
    - means for determining whether a malicious act caused the security event, and if so, providing information about the security event or malicious act to a security decision controller.
  - 42. The apparatus as recited in claim 12, further comprising:
    - means for determining whether a malicious act caused the security event, and if not, removing the user from the second specified pool.
  - 43. The apparatus as recited in claim 12, further comprising:
    - means for determining whether a malicious act caused the security event, wherein a legal user action in the network is not determined to be a malicious act if the user is associated with a trusted customer of a network service provider.
  - 44. The apparatus as recited in claim 12, wherein the means for causing the network device to acquire a second network address comprises means for performing an action that causes the network device to request a new network address.

13. An apparatus, comprising:
- a network interface that is coupled to a data network for receiving one or more packet flows therefrom;
  
  a processor;
  
  one or more stored sequences of instructions which, when executed by the processor, cause the processor to carry out the steps of;
  
  in a security controller that is coupled, though the data network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;
  
  determining a user identifier associated with the network device that has caused a security event in the network;
  
  in response to the security event, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;
  
  wherein the security event is an event that indicates at least one of;
  
  a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;
  
  wherein the second subset of addresses is different from the first subset of addresses; and
  
  configuring one or more security restrictions with respect to the second network address.
- View Dependent Claims (14, 15, 16, 25, 26, 27, 28, 29, 30, 31, 32, 33, 34)
- - 14. The apparatus of claim 13, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the instructions which when executed cause the network device to acquire a second network address comprise instructions which when executed cause resetting a port that is coupled to the network device to prompt a user to command the network device to request a new network address using DHCP.
  - 15. The apparatus of claim 13, wherein instructions which when executed cause the network device to acquire a second network address comprise instructions which when executed cause providing the network device with an IP address that is selected from a plurality of IP addresses within a special IP subnet.
  - 16. The apparatus of claim 13, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the instructions which when executed cause the network device to acquire a second network address comprise instructions which when executed cause issuing a DHCP FORCE_RENEW message to the network device.
  - 25. The apparatus as recited in claim 13, wherein the one or more stored sequences of instructions, when executed by the processor, further cause the processor to perform:
    - receiving information identifying the security event in the network;
      
      correlating the security event information with network user information to result in determining the user identifier associated with the network device.
  - 26. The apparatus as recited in claim 13, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein causing the network device to acquire the second network address comprises prompting the network device to request a new network address using DHCP.
  - 27. The apparatus as recited in claim 13, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein causing the network device to acquire the second network address comprises waiting for expiration of a lease for a current network address of the network device.
  - 28. The apparatus as recited in claim 15, wherein the one or more stored sequences of instructions, when executed by the processor, further cause the processor to perform:
    - publishing information describing characteristics of the special IP subnet to network service providers.
  - 29. The apparatus as recited in claim 13, wherein configuring security restrictions comprises modifying an internet protocol (IP) access control list (ACL) associated with a port that is coupled to the network device to permit entry of IP traffic from only the second network address.
  - 30. The apparatus as recited in claim 13, wherein configuring security restrictions comprises modifying a media access control (MAC) ACL associated with a port that is coupled to the network device to permit entry of traffic only for a MAC address that is bound to the second network address.
  - 31. The apparatus as recited in claim 13, wherein the one or more stored sequences of instructions, when executed by the processor, further cause the processor to perform:
    - determining whether a malicious act caused the security event, and if so, providing information about the security event or malicious act to a security decision controller.
  - 32. The apparatus as recited in claim 13, wherein the one or more stored sequences of instructions, when executed by the processor, further cause the processor to perform:
    - determining whether a malicious act caused the security event, and if not, removing the user from the second specified pool.
  - 33. The apparatus as recited in claim 13, wherein the one or more stored sequences of instructions, when executed by the processor, further cause the processor to perform:
    - determining whether a malicious act caused the security event, wherein a legal user action in the network is not determined to be a malicious act if the user is associated with a trusted customer of a network service provider.
  - 34. The apparatus as recited in claim 13, wherein causing the network device to acquire a second network address comprises performing an action that causes the network device to request a new network address.

24. A method, comprising the computer-implemented steps of:
- in a security controller that is coupled, though a network, to a network device having a first network address assigned from a first subset of addresses within a first specified pool associated with normal network users;
  
  in response to a security event in the network, causing the network device to acquire a second network address that is selected from a second subset of addresses within a second specified pool associated with suspected malicious network users;
  
  wherein the security event is an event that indicates at least one of;
  
  a possible denial of service attack, possible IP address spoofing, extraneous requests for network addresses, and possible MAC address spoofing;
  
  wherein causing the network device to acquire a second network address comprises performing an action that causes the network device to request a new network address;
  
  wherein the second subset of addresses is different from the first subset of addresses; and
  
  configuring one or more security restrictions with respect to the new network address.
- View Dependent Claims (45, 46, 47)
- - 45. A method as recited in claim 24, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the step of causing the network device to acquire the second network address comprises resetting a port that is coupled to the network device to prompt a user to command the network device to request a new network address using DHCP.
  - 46. A method as recited in claim 24, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the step of causing the network device to acquire the second network address comprises issuing a DHCP FORCE_RENEW message to the network device.
  - 47. A method as recited in claim 24, wherein the network device uses dynamic host control protocol (DHCP) to obtain the second network address, and wherein the step of causing the network device to acquire the second network address comprises prompting the network device to request a new network address using DHCP.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Original Assignee
Cisco Technology, Inc. (Cisco Systems, Inc.)
Inventors
Droms, Ralph, Rayes, Mark Ammar, Dini, Petre, Cheung, Michael
Primary Examiner(s)
Zand; Kambiz
Assistant Examiner(s)
SHAIFER HARRIMAN, DANT B

Application Number

US10/797,773
Publication Number

US 20050204162A1
Time in Patent Office

2,051 Days
Field of Search

726/11, 713/153, 709/203, 370/1
US Class Current

713/188
CPC Class Codes

H04L 61/103   across network layers, e.g....

H04L 61/5014   using dynamic host configur...

H04L 61/5061   Pools of addresses

H04L 63/101   Access control lists [ACL]

H04L 63/1408   by monitoring network traff...

H04L 63/1433   Vulnerability analysis

Isolation approach for network users associated with elevated risk

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

47 Claims

Specification

Solutions

Use Cases

Quick Links

Isolation approach for network users associated with elevated risk

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

47 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links