Detection of network environment for network access control

US 7,814,531 B2
Filed: 06/30/2006
Issued: 10/12/2010
Est. Priority Date: 06/30/2006
Status: Active Grant

First Claim

Patent Images

1. A network access control (NAC) method comprising:

receiving a request at a network access control module to connect a device to a network;

if a security policy is received for the connection of the device, applying the received security policy for the device;

if a security policy for the connection of the device is not received, then;

determining the domain of the device and establishing a security policy for the connection of the device based on the determined domain as follows;

determining whether the device is in an enterprise domain, and, if not, setting a non-enterprise security policy, and if the device is in the enterprise domain, then determining whether the device is in a network access control domain, and, if the device is not in a network access control domain, then setting a non-NAC environment security policy, and, if the device is in a network access control domain, then setting a non-compliant enterprise host security policy, and applying the established security policy to the device; and

determining whether to approve the request to connect the device to the network based at least in part on the security policy applied for the device;

wherein applying a security policy comprises enforcing security policy compliance for devices connecting to the network.

View all claims

1 Assignment

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain/environment specific policy.

Citations

25 Claims

1. A network access control (NAC) method comprising:
- receiving a request at a network access control module to connect a device to a network;
  
  if a security policy is received for the connection of the device, applying the received security policy for the device;
  
  if a security policy for the connection of the device is not received, then;
  
  determining the domain of the device and establishing a security policy for the connection of the device based on the determined domain as follows;
  
  determining whether the device is in an enterprise domain, and, if not, setting a non-enterprise security policy, and if the device is in the enterprise domain, then determining whether the device is in a network access control domain, and, if the device is not in a network access control domain, then setting a non-NAC environment security policy, and, if the device is in a network access control domain, then setting a non-compliant enterprise host security policy, and applying the established security policy to the device; and
  
  determining whether to approve the request to connect the device to the network based at least in part on the security policy applied for the device;
  
  wherein applying a security policy comprises enforcing security policy compliance for devices connecting to the network.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein the network provides for static network addressing, and further comprising extracting a network address for the device.
  - 3. The method of claim 2, wherein determining the domain of the device comprises comparing an element of the network address to a list of pre-configured address elements.
  - 4. The method of claim 1, wherein the network provides for dynamic network addressing.
  - 5. The method of claim 4, further comprising determining whether a response from the device is received.
  - 6. The method of claim 5, wherein the response comprises a DHCP (dynamic host configuration protocol) response.
  - 7. The method of claim 5, wherein if a response from the device is received then determining whether the device is in an enterprise domain comprises extracting domain information from the response.
  - 8. The method of claim 7, wherein determining whether the device is in a network access control domain comprising applying a configured protocol option to the response.
  - 9. The method of claim 4, wherein an agent presence feature is available, and wherein determining the domain of the device comprises determining whether a network access control agent is present.
  - 10. The method of claim 1, further comprising signing data regarding the domain of the device using an industry standard signature method and conveying the data as part of a DHCP (dynamic host configuration protocol) response.

11. A network security apparatus for a network comprising:
- a network access control module, wherein, if the network access control module receives a security policy for the connection of a device to the network, the network access module is to identify the received security policy for the device, and, if the network access control module does not receive a security policy for the connection of a device to the network, the network access control module is to identify the platform of the device and a security policy for the connection of the device, the identification of the platform and security policy including;
  
  a determination whether the device in contained in an enterprise domain, and, if not, identifying a non-enterprise security policy, and if the device is in the enterprise domain, then a determination whether the device is contained in a network access control domain, and, if the device is not in a network access control domain, then identifying a non-NAC environment security policy, and, if the device is in a network access control domain, then identifying a non-compliant enterprise host security policy; and
  
  a network management module, the network management module to control access of the device to the network based at least in part on the determination of the platform of the device and the identified security policy;
  
  wherein to control access of the device to the network based at least in part on a security policy comprises enforcing security policy compliance for devices connecting to the network.
- View Dependent Claims (12, 13, 14)
- - 12. The network security apparatus of claim 11, wherein the network utilizes static IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes comparing an element of an address of the device to a list of pre configured address elements.
  - 13. The network security apparatus of claim 11, wherein the network utilizes dynamic IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes extracting data from a response of the device.
  - 14. The network security apparatus of claim 11, wherein the network utilizes dynamic IP (Internet protocol addressing), and wherein identification of the platform of the device by the network access control module includes using a presence function to determine whether a network access control agent is present.

15. A system comprising:
- a network access control module for a network to determine network access for a device;
  
  a trust server to provide compliance vectors to the network access control module; and
  
  a router, the router to direct a device connection request to the network access control module, the device supporting a network management system;
  
  wherein, if the network access control module receives a security policy for the connection of a device to the network, the network access control module is to identify the received security policy for the device, and, if the network access control module does not receive a security policy for the connection of a device to the network, the network access control module obtains data regarding the device to determine the domain of the device, including;
  
  whether the device is contained in an enterprise domain, and, if not, identifying a non-enterprise security policy, and if the device is in the enterprise domain, then whether the device is contained in a network access control domain, and, if the device is not in a network access control domain, then identifying a non-NAC environment security policy, and, if the device is in a network access control domain, then identifying a non-compliant enterprise host security policy;
  
  wherein for the connection of a device to the network based at least in part on a security policy comprises enforcing security policy compliance for devices connecting to the network.
- View Dependent Claims (16, 17, 18, 19, 20, 21)
- - 16. The system of claim 15, wherein the network management system enforces the identified security policy for access to the network by the device.
  - 17. The system of claim 15, wherein the network utilizes static IP (Internet Protocol) addressing, and wherein determining the domain of the device includes comparing at least a portion of the address of the device to a list of pre configured address elements.
  - 18. The system of claim 15, wherein the network utilizes dynamic IP (Internet Protocol) addressing.
  - 19. The system of claim 18, wherein determining the domain of the device includes receiving a response for the device and extracting the domain for the device from the response.
  - 20. The system of claim 18, wherein determining the domain of the device includes using a presence function to determine the presence of a network access control agent.
  - 21. The system of claim 15, wherein the data regarding the domain of the device is signed using an industry standard signature method and is conveyed as part of a DHCP (dynamic host configuration protocol) response.

22. A non-transitory computer-readable medium having stored thereon data representing sequences of instructions that, when executed by a processor, cause the processor to perform operations comprising:
- receiving a request at a network access control module to connect a device to a network;
  
  if a security policy is received for the connection of the device, applying the received security policy for the device; and
  
  if a security policy for the connection of the device is not received, then;
  
  determining the domain of the device and establishing a security policy for the connection of the device based on the determined domain as follows;
  
  determining whether the device is in an enterprise domain, and, if not, setting a non-enterprise security policy, and if the device is in the enterprise domain, then determining whether the device is in a network access control domain, and, if the device is not in a network access control domain, then setting a non-NAC environment security policy, and, if the device is in a network access control domain, then setting a non-compliant enterprise host security policy, and applying the established security policy to the device; and
  
  determining whether to approve the request to connect the device to the network based at least in part on the security policy applied for the device;
  
  wherein applying a security policy comprises enforcing security policy compliance for devices connecting to the network.
- View Dependent Claims (23, 24, 25)
- - 23. The medium of claim 22, wherein the network provides for static network addressing, and wherein determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain comprises comparing an element of the network address of the device to a list of pre-configured address elements.
  - 24. The medium of claim 22, wherein the network provides for dynamic network addressing, and wherein determining the domain of the device comprises extracting domain information from a response from the device.
  - 25. The medium of claim 22, wherein the network provides for dynamic network addressing, and wherein determining the domain of the device comprises determining whether a network access control agent is present.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Kroiser, Ahuva, Eldar, Avigdor, Khosravi, Hormuzd, Grewal, Karanvir
Primary Examiner(s)
Orgad; Edan
Assistant Examiner(s)
Baum; Ronald

Application Number

US11/478,987
Publication Number

US 20080022355A1
Time in Patent Office

1,565 Days
Field of Search

726/1
US Class Current

726/1
CPC Class Codes

H04L 61/5014   using dynamic host configur...

H04L 63/0227   Filtering policies mail mes...

H04L 63/101   Access control lists [ACL]

H04L 63/102   Entity profiles

H04L 63/12   Applying verification of th...

Detection of network environment for network access control

First Claim

1 Assignment

0 Petitions

Accused Products

Abstract

Citations

25 Claims

Specification

Solutions

Use Cases

Quick Links

Detection of network environment for network access control

First Claim

1 Assignment

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

Citations

25 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links