Techniques for authenticated posture reporting and associated enforcement of network access

US 8,671,439 B2
Filed: 07/23/2009
Issued: 03/11/2014
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

receiving posture information, at a remote device via a network interface, for an endpoint;

determining network access policies for the endpoint based on the posture information, the network access policies comprising at least one access control list that is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint; and

enforcing the network access policies.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

32 Citations

View as Search Results

28 Claims

1. A method comprising:
- receiving posture information, at a remote device via a network interface, for an endpoint;
  
  determining network access policies for the endpoint based on the posture information, the network access policies comprising at least one access control list that is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint; and
  
  enforcing the network access policies.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10)
- - 2. The method of claim 1, wherein enforcing the network access policies comprises applying network access limitations from the remote device by components of the endpoint.
  - 3. The method of claim 1, wherein enforcing the network access policies comprises applying a default access control limitation if no access control limitations have been sent to the endpoint from the remote device.
  - 4. The method of claim 3, wherein if a network access control list provided by the endpoint satisfies constraints specified by the remote device, the method further comprising selectively applying the network access control list provided by the endpoint.
  - 5. The method of claim 1, wherein the remote device comprises a network access policy decision point (PDP).
  - 6. The method of claim 1, wherein at least one of the one or more access control lists from the remote device include usage constraints related to one or more of:
    - location of the endpoint, type of connection, time of day, firmware agent mode, endpoint electronic device mode.
  - 7. The method of claim 1, wherein a secure connection is established between the remote device and a trusted firmware agent resident on the endpoint via the network interface, wherein the endpoint includes an untrustworthy component.
  - 8. The method of claim 7, wherein the untrustworthy component comprises a hardware platform running an untrusted operating system.
  - 9. The method of claim 7, wherein the secured connection established between the remote device and the trusted firmware agent comprises cryptographically binding the remote device and the firmware agent.
  - 10. The method of claim 7, further comprising cryptographically binding the firmware agent with a trusted platform module resident on the endpoint through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the remote device.

11. An article comprising a computer-readable storage device having stored thereon instructions that, when executed, cause one or more processors to:
- receive posture information, at a remote device via a network interface, for an endpoint;
  
  determine network access policies for the endpoint based on the posture information wherein at least one of the network access policies is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint; and
  
  enforce the network access policies.
- View Dependent Claims (12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 12. The article of claim 11, wherein to enforce the network access policies comprises to apply network access limitations from the remote device by components of the endpoint.
  - 13. The article of claim 11, wherein to enforce the network access policies comprises to apply a default access control limitation if no access control limitations have been sent to the endpoint from the remote device.
  - 14. The article of claim 13, wherein if a network access control list provided by the endpoint satisfies constraints specified by the remote device, the article further comprising instructions to selectively apply the network access control list provided by the endpoint.
  - 15. The article of claim 11, wherein the remote device comprises a network access policy decision point (PDP).
  - 16. The article of claim 11, wherein the network access policies comprise one or more access control lists (ACLs) received from the remote device.
  - 17. The article of claim 16, wherein at least one of the one or more access control lists from the remote device includes usage constraints related to one or more of location of the endpoint, type of connection, time of day, firmware agent mode, endpoint electronic device mode.
  - 18. The article of claim 17, wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the endpoint and/or a firmware agent resident on the endpoint.
  - 19. The article of claim 11, wherein a secure connection is established between the remote device and a trusted firmware agent resident on the endpoint via the network interface, wherein the endpoint includes an untrustworthy component.
  - 20. The article of claim 19, wherein the untrustworthy component comprises a hardware platform running an untrusted operating system.
  - 21. The article of claim 19, wherein the secured connection established between the remote device and the trusted firmware agent comprises cryptographically binding the remote device and the firmware agent.
  - 22. The article of claim 19, further comprising instructions to cryptographically bind the firmware agent with a trusted platform module resident on the endpoint through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the remote device.

23. An apparatus comprising:
- an endpoint coupled to a network interface to support one or more software agents and configured to establish a first host environment and a second host environment;
  
  a firmware agent coupled to the endpoint and the network interface and separately cryptographically bound to the first host environment and the second host environment to gather posture information from one or more security agents, to transmit a report including the posture information to a remote device via the network interface, and to configure the network interface according to network access control information received from the remote device via the network interface.
- View Dependent Claims (24, 25, 26, 27, 28)
- - 24. The apparatus of claim 23 wherein at least one of the security agents comprises a hardware agent coupled with the endpoint.
  - 25. The apparatus of claim 23 wherein the remote device comprises a network access policy decision point (PDP).
  - 26. The apparatus of claim 23 wherein the network access control information comprises one or more access control lists (ACLs) received from the remote device.
  - 27. The apparatus of claim 26 wherein at least one of the one or more access control lists from the remote device include usage constraints related to one or more of:
    - location of the endpoint, type of connection, time of day, firmware agent mode, endpoint device mode.
  - 28. The apparatus of claim 27 wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the firmware agent.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Durham, David, Sahita, Ravi, Grewal, Karanvir, Smith, Ned, Sood, Kapil
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/460,736
Publication Number

US 20100071032A1
Time in Patent Office

1,692 Days
Field of Search

None
US Class Current

726/3
CPC Class Codes

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Techniques for authenticated posture reporting and associated enforcement of network access

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for authenticated posture reporting and associated enforcement of network access

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links