Techniques for authenticated posture reporting and associated enforcement of network access

US 8,826,378 B2
Filed: 12/22/2009
Issued: 09/02/2014
Est. Priority Date: 06/30/2005
Status: Active Grant

First Claim

Patent Images

1. A method comprising:

establishing, by a firmware agent of an enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored;

transmitting, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel;

receiving, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and

enforcing the network access policy using the enforcement point.

View all claims

0 Assignments

Timeline View

Assignment View

0 Petitions

Accused Products

Abstract

Architectures and techniques that allow a firmware agent to operate as a tamper-resistant agent on a host platform that may be used as a trusted policy enforcement point (PEP) on the host platform to enforce policies even when the host operating system is compromised. The PEP may be used to open access control and/or remediation channels on the host platform. The firmware agent may also act as a local policy decision point (PDP) on the host platform in accordance with an authorized enterprise PDP entity by providing policies if a host trust agent is non-responsive and may function as a passive agent when the host trust agent is functional.

32 Citations

View as Search Results

28 Claims

1. A method comprising:
- establishing, by a firmware agent of an enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored;
  
  transmitting, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel;
  
  receiving, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and
  
  enforcing the network access policy using the enforcement point.
- View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11)
- - 2. The method of claim 1, wherein enforcing the network access policy using the enforcement point comprises applying network access limitations from the policy decision point using the enforcement point.
  - 3. The method of claim 1, wherein enforcing the network access policy using the enforcement point comprises applying a default access control limitation if no access control limitations have been sent to the enforcement point from the policy decision point.
  - 4. The method of claim 3, wherein if a network access control list provided by the enforcement point satisfies constraints specified by the policy decision point, the method further comprising selectively applying the network access control list by the enforcement point.
  - 5. The method of claim 1, wherein the network access policy comprises one or more access control lists (ACLs) received from the policy decision point.
  - 6. The method of claim 5, wherein at least one of the one or more access control lists from the policy decision point includes usage constraints related to one or more of location of the enforcement point, type of connection, time of day, firmware agent mode, enforcement point electronic device mode.
  - 7. The method of claim 6, wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the enforcement point and/or a firmware agent resident on the enforcement point.
  - 8. The method of claim 1, wherein establishing the secure control channel comprises establishing a secure connection between the policy decision point and the firmware agent via a network interface, andwherein the enforcement point includes an untrustworthy component.
  - 9. The method of claim 8, wherein the untrustworthy component comprises a hardware platform running the untrusted operating system.
  - 10. The method of claim 8, wherein establishing the secure connection between the policy decision point and the firmware agent comprises cryptographically binding the policy decision point and the firmware agent.
  - 11. The method of claim 8, further comprising cryptographically binding the firmware agent with a trusted platform module resident on the enforcement point through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the policy decision point.

12. An article comprising a non-transitory computer-readable medium having stored thereon instructions that, when executed, cause one or more processors of an enforcement point to:
- establish, by a firmware agent of the enforcement point, a secure control channel between the enforcement point and a policy decision point, wherein the enforcement point comprises a hardware-enforced partition that includes the firmware agent and is different from a partition on which an untrusted operating system of the enforcement point is stored;
  
  transmit, by the firmware agent, security posture information of the enforcement point to a policy decision point via the secure control channel;
  
  receive, by the firmware agent and from the policy decision point, a network access policy from the policy decision point based on the security posture information; and
  
  enforce the network access policy using the enforcement point.
- View Dependent Claims (13, 14, 15, 16, 17, 18, 19, 20, 21, 22)
- - 13. The article of claim 12, wherein to enforce the network access policy using the enforcement point comprises to apply network access limitations from the policy decision point using the enforcement point.
  - 14. The article of claim 12, wherein to enforce the network access policy using the enforcement point comprises to apply a default access control limitation if no access control limitations have been sent to the enforcement point from the policy decision point.
  - 15. The article of claim 14, wherein if a network access control list provided by the enforcement point satisfies constraints specified by the policy decision point, the article further comprising to selectively apply the network access control list by the enforcement point.
  - 16. The article of claim 12, wherein the network access policy comprises one or more access control lists (ACLs) received from the policy decision point.
  - 17. The article of claim 16, wherein at least one of the one or more access control lists from the policy decision point includes usage constraints related to one or more of location of the enforcement point, type of connection, time of day, firmware agent mode, enforcement point electronic device mode.
  - 18. The article of claim 17, wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the enforcement point and/or a firmware agent resident on the enforcement point.
  - 19. The article of claim 12, wherein to establish the secure control channel comprises to establish a secure connection between the policy decision point and the firmware agent via a network interface, wherein the enforcement point includes an untrustworthy component.
  - 20. The article of claim 19, wherein the untrustworthy component comprises a hardware platform running the untrusted operating system.
  - 21. The article of claim 19, wherein to establish the secure connection between the policy decision point and the firmware agent comprises to cryptographically bind the policy decision point and the firmware agent.
  - 22. The article of claim 19, further comprising to cryptographically bind the firmware agent with a trusted platform module resident on the enforcement point through, at least in part, generation, storage and certification of cryptographic keys used in cryptographic binding of the firmware agent to the policy decision point.

23. An apparatus comprising:
- a hardware-enforcement partition different from a partition on which an untrusted operating system is stored;
  
  an endpoint stored on the hardware-enforcement partition and coupled to a network interface to support one or more software agents; and
  
  a firmware agent coupled to the endpoint and the network interface to gather posture information from one or more security agents, to establish a secure control channel between the firmware agent and a policy decision point, to transmit a report including the posture information to the policy decision point via the network interface, and to configure the network interface according to network access control information received from the policy decision point via the network interface.
- View Dependent Claims (24, 25, 26, 27)
- - 24. The apparatus of claim 23 wherein at least one of the security agents comprises a hardware agent coupled with the endpoint.
  - 25. The apparatus of claim 23 wherein the network access control information comprises one or more access control lists (ACLs) received from the policy decision point.
  - 26. The apparatus of claim 25 wherein at least one of the one or more access control lists from the policy decision point include usage constraints related to one or more of:
    - location of the endpoint, type of connection, time of day, firmware agent mode, endpoint device mode.
  - 27. The apparatus of claim 26 wherein the at least one access control list is cryptographically bound to a pre-selected configuration of the firmware agent.

28. A method comprising:
- receiving, at a policy decision point via a network interface, security posture information of an endpoint via an enforcement point;
  
  determining network access policies from the policy decision point based on the security posture information; and
  
  enforcing the network access policies using the enforcement point,wherein the network access policies comprise one or more access control lists (ACLs) received from the policy decision point and wherein at least one access control list is cryptographically bound to a pre-selected configuration of the endpoint.

Specification

Resources

Litigation Campaign Assessment

Current Assignee
Intel Corporation
Original Assignee
Intel Corporation
Inventors
Durham, David, Sahita, Ravi, Grewal, Karanvir, Smith, Ned, Sood, Kapil
Primary Examiner(s)
Abrishamkar, Kaveh

Application Number

US12/655,024
Publication Number

US 20100107224A1
Time in Patent Office

1,715 Days
Field of Search

None
US Class Current

726/3
CPC Class Codes

G06F 2221/2141   Access rights, e.g. capabil...

H04L 63/0209   Architectural arrangements,...

H04L 63/08   for authentication of entit...

H04L 63/10   for controlling access to d...

H04L 63/20   for managing network securi...

H04L 9/3234   involving additional secure...

H04L 9/3247   involving digital signatures

H04L 9/3263   involving certificates, e.g...

Techniques for authenticated posture reporting and associated enforcement of network access

First Claim

0 Assignments

0 Petitions

Accused Products

Abstract

32 Citations

28 Claims

Specification

Solutions

Use Cases

Quick Links

Techniques for authenticated posture reporting and associated enforcement of network access

First Claim

0 Assignments

Subscription Required

Subscription Required

0 Petitions

Subscription Required

Accused Products

Subscription Required

Abstract

32 Citations

28 Claims

Specification

Subscription Required

Solutions

Use Cases

Quick Links