Techniques for authenticated posture reporting and associated enforcement of network access
First Claim
Patent Images
1. A method comprising:
- establishing, by a firmware agent of an enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored;
transmitting, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel;
receiving, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and
enforcing the network access policy using the enforcement point.
0 Assignments
0 Petitions
Accused Products
Abstract
Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.
32 Citations
28 Claims
-
1. A method comprising:
-
establishing, by a firmware agent of an enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored; transmitting, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel; receiving, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and enforcing the network access policy using the enforcement point. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
-
-
12. An article comprising a non-transitory computer-readable medium having stored thereon instructions that, when executed, cause one or more processors of an enforcement point to:
-
establish, by a firmware agent of the enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored; transmit, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel; receive, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and enforce the network access policy using the enforcement point. - View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
-
-
23. An apparatus comprising:
-
a hardware-enforcement partition different from a partition on which an untrusted operating system is stored; an endpoint stored on the hardware-enforcement partition and coupled to a network interface to support one or more software agents; and a firmware agent coupled to the endpoint and the network interface to gather posture information from one or more security agents, to establish a secure control channel between the firmware agent and a policy decision point, to transmit a report including the posture information to the policy decision point via the network interface, and to configure the network interface according to network access control information received from the policy decision point via the network interface. - View Dependent Claims (24, 25, 26, 27)
-
-
28. A method comprising:
-
receiving, at a policy decision point via a network interface, security posture information of an endpoint via an enforcement point; determining network access policies from the policy decision point based on the security posture information; and enforcing the network access policies using the enforcement point, wherein the network access policies comprise one or more access control lists (ACLs) received from the policy decision point and wherein at least one access control list is cryptographically bound to a pre-selected configuration of the endpoint.
-
Specification