Controlling access to resources in a network
First Claim
1. A computer-implemented method to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and access instructions, the computer-implemented method comprising:
- intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device;
prior to granting the computerized device with the requested access to the network, and in response to intercepting the one or more messages sent by the computerized device, selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;
subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy;
wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and
applying the redirect access instruction at the intercepting device by operation of one or more computer processors, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network;
wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network;
wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable by the intercepting device to restrict routing of any communications traffic destined for locations outside the network.
1 Assignment
0 Petitions
Accused Products
Abstract
A computerized device transmits an access request to a data communications device of a network in an attempt to access network resources within the network. The data communications device, in response and in real-time, transmits a challenge request to the computerized device that directs the computerized device to retrieve configuration, or posture, credentials associated with the computerized device. A policy server receives the challenge response and, based upon a real-time analysis of the posture credentials of the computerized device, determines a security state of the computerized device and either provides some level or denies the computerized device access to the network resources based upon the analysis of posture. The data communications device detects the real-time security state of the computerized device prior to providing the computerized device with controlled access to the network resources, thereby limiting vulnerable computerized devices from accessing the network resources and minimizing the risk that the network resources receive or transmit malware.
106 Citations
53 Claims
-
1. A computer-implemented method to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and access instructions, the computer-implemented method comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; prior to granting the computerized device with the requested access to the network, and in response to intercepting the one or more messages sent by the computerized device, selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable by the intercepting device to restrict routing of any communications traffic destined for locations outside the network. - View Dependent Claims (2, 3, 4, 5, 6, 7, 8, 9, 10, 11, 12, 13, 14, 15, 16, 17, 18, 19, 20, 21, 22, 23, 24, 25, 26, 27, 28)
-
-
29. A data communications device to control access to resources in a network by operating, as an intercepting device, in conjunction with a policy server and a remediation server, and based on security posture credentials and access instructions, the data communications device comprising:
-
at least one communications interface; a controller; and an interconnection mechanism coupling the at least one communications interface and the controller; wherein the controller is configured to; intercept a request for access sent from a computerized device, through the data communications device, to a network resource in the network; prior to granting the computerized device with the requested access to the network resource, and in response to intercepting the request for access, select, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving, from one or more of the plurality of security posture plug-ins, the security posture credential, forward the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and apply the redirect access instruction at the intercepting device to network communications traffic originating from the computerized device and destined for resources within the network in order to grant the computerized device with access to the remediation server without including access to the resources in the network; and wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable by the intercepting device to restrict routing of any communications traffic destined for locations outside the network. - View Dependent Claims (30, 31, 32, 33, 34, 35)
-
-
36. A non-transitory computer-readable medium including computer program logic encoded thereon that, when performed on a controller in a data communications device having a coupling to at least one communications interface, performs an operation to control access to resources in a network by the data communications device acting, as an intercepting device, in conjunction with a policy server and a remediation server and based on security posture credentials and access instructions, the operation comprising:
-
intercepting, by the intercepting device, an attempted access sent from a computerized device, through the data communications device, to a network resource in the network; prior to granting the computerized device with the requested access to the network resource, and in response to intercepting the attempted access, selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving, from one or more of the plurality of security posture plug-ins, the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credentials relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors when executing the computer program logic, to network communications traffic originating from the computerized device and destined for resources within the network in order to grant the computerized device with access to the remediation server without including access to the resources in the network; and wherein upon determining that the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable by the intercepting device to restrict routing of any communications traffic destined for locations outside the network.
-
-
37. A computer-implemented method to control access to computing resources in a network, by using a routing device, a policy server, and a remediation server and based on security posture credentials and remediation attributes, the computer-implemented method comprising:
-
receiving, by the routing device connected to the network, from a computing device connected to the network, network traffic directed to a computing resource available over the network; in response, collecting, from a posture program, a security posture credential indicating a current configuration state of one or more components on the computing device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computing device;
(ii) a posture plug-in executing on the computing device; and
(iii) an audit server operatively connected to the computing device;forwarding the security posture credential collected from the computing device to the policy server by operation of one or more computer processors, wherein the policy server performs an initial evaluation of the security posture credential of the computing device in order to determine a posture validation result indicating whether the computing device satisfies requirements of a security policy for accessing the computing resource; upon receiving a message from the policy server indicating that the security posture credential does not satisfy requirements of the security policy, redirecting access by; forwarding one or more remediation attributes to the remediation server to update, based on the one or more remediation attributes, the then current configuration state of the one or more components on the computing device in order to satisfy the requirements of the security policy; and forwarding network traffic from the computing resource towards the remediation server without granting access to the computing resource in the network; and upon receiving a message from the policy server indicating that the security posture credential satisfies the requirements of the security policy, or upon receiving a message from the remediation server indicating that the then current configuration state was successfully updated, granting access by; forwarding network traffic received from the computing device towards the computing resource; and updating records on the routing device in order to indicate the computing device is authorized to access the computing resource; wherein upon receiving a message from the remediation server indicating that the then current configuration state was not successfully updated, the routing device limits or denies access to the computing resource without limiting or denying any communications traffic destined for locations outside the network. - View Dependent Claims (38, 39, 40, 41, 42, 43)
-
-
44. A non-transitory computer-readable medium containing a program which, when executed, performs an operation to control access to computing resources in a network, by using a routing device, a policy server, and a remediation server and based on security posture credentials and remediation attributes, the operation comprising:
-
receiving, by the routing device connected to the network, from a computing device connected to the network, network traffic directed to a computing resource available over the network; in response, collecting, from a posture program, security posture credential indicating a current configuration state of one or more components on the computing device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computing device;
(ii) a posture plug-in executing on the computing device; and
(iii) an audit server operatively connected to the computing device;forwarding the security posture credential collected from the computing device to the policy server by operation of one or more computer processors when executing the program, wherein the policy server performs an initial evaluation of the security posture credential of the computing device in order to determine a posture validation result indicating whether the computing device satisfies requirements of a security policy for accessing the computing resource; upon receiving a message from the policy server indicating that the security posture credential does not satisfy requirements of the security policy, redirecting access by; forwarding one or more remediation attributes to the remediation server to update, based on the one or more remediation attributes, the then current configuration state of the one or more components on the computing device in order to satisfy the requirements of the security policy; and forwarding network traffic from the computing resource towards the remediation server without granting access to the computing resource in the network; and upon receiving a message from the policy server indicating that the security posture credential satisfies the requirements of the security policy, or upon receiving a message from the remediation server indicating that the then current configuration state was successfully updated, granting access by; forwarding network traffic received from the computing device towards the computing resource; and updating records on the routing device in order to indicate the computing device is authorized to access the computing resource; wherein upon receiving a message from the remediation server indicating that the then current configuration state was not successfully updated, the routing device limits or denies access to the computing resource without limiting or denying any communications traffic destined for locations outside the network.
-
-
45. A routing device to control access to computing resources in a network, by operating in conjunction with a policy server and a remediation server and based on security posture credentials and remediation attributes, the routing device comprising:
-
one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising; receiving, by the routing device connected to the network, from a computing device connected to the network, network traffic directed to a computing resource available over the network; in response, collecting, from a posture program, a security posture credential indicating a current configuration state of one or more components on the computing device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computing device;
(ii) a posture plug-in executing on the computing device; and
(iii) an audit server operatively connected to the computing device;forwarding the security posture credential collected from the computing device to the policy server, wherein the policy server performs an initial evaluation of the security posture credential of the computing device in order to determine a posture validation result indicating whether the computing device satisfies requirements of a security policy for accessing the computing resource; upon receiving a message from the policy server indicating that the security posture credential does not satisfy requirements of the security policy, redirecting access by; forwarding one or more remediation attributes to the remediation server to update, based on the one or more remediation attributes, the then current configuration state of the one or more components on the computing device in order to satisfy the requirements of the security policy; and forwarding network traffic from the computing resource towards the remediation server without granting access to the computing resource in the network; and upon receiving a message from the policy server indicating that the security posture credential satisfies the requirements of the security policy, or upon receiving a message from the remediation server indicating that the then current configuration state was successfully updated, granting access by; forwarding network traffic received from the computing device towards the computing resource; and updating records on the routing device in order to indicate the computing device is authorized to access the computing resource; wherein upon receiving a message from the remediation server indicating that the then current configuration state was not successfully updated, the routing device limits or denies access to the computing resource without limiting or denying any communications traffic destined for locations outside the network.
-
-
46. A computer-implemented method to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and redirect access instructions, the computer-implemented method comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential, wherein the security posture credential includes one or more affirmative descriptions of the application or component on the computerized device and represents a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credentials relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network.
-
-
47. A non-transitory computer-readable medium containing a program which, when executed, performs an operation to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and access instructions, the operation comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; prior to granting the computerized device with the requested access to the network, and in response to intercepting the one or more messages sent by the computerized device, selecting, based on the resources for which access is requested one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential, wherein the security posture credential includes one or more affirmative descriptions of the application or component on the computerized device and represents a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credentials relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device in compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors when executing the program, to communications traffic originating from the computerized device and destined for resources within the network in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network.
-
-
48. A routing device to control access to computing resources in a network, by operating in conjunction with a policy server and a remediation server and based on security posture credentials and access instructions, the routing device comprising:
-
one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising; intercepting one or more messages sent by a computerized device requesting access to one of the resources in the network; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential, wherein the security posture credential includes one or more affirmative descriptions of the application or component on the computerized device and represents a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions to be performed for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the routing device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the routing device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network.
-
-
49. A computer-implemented method to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and access instructions, the computer-implemented method comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a corresponding security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network; wherein responsive to an update to the accepted credential set after the computerized device is granted with access to the resources in the network, the intercepting device transmits a posture update query to the computerized device and forwards a posture update response from the posture program to the policy server.
-
-
50. A non-transitory computer-readable medium containing a program which, when executed, performs an operation to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials and access instructions, the operation comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors when executing the program, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network; wherein responsive to an update to the accepted credential set after the computerized device is granted with access to the resources in the network, the intercepting device transmits a posture update query to the computerized device and forwards a posture update response from the posture program to the policy server.
-
-
51. A routing device to control access to computing resources in a network, by operating in conjunction with a policy server and a remediation server and based on security posture credentials and access instructions, the routing device comprising:
-
one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising; intercepting one or more messages sent by a computerized device requesting access to one of the resources in the network; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction to communications traffic originating from the computerized device and destined for resources within the network in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining that the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon successful completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the routing device to grant the computerized device with access to the resources in the network; wherein upon failure of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a restrict access instruction applicable by the routing device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network; wherein responsive to an update to the accepted credential set after the computerized device is granted with access to the resources in the network, the routing device transmits a posture update query to the computerized device and forwards a posture update response from the posture program to the policy server.
-
-
52. A computer-implemented method to control access to resources in a network by using an intercepting device, a policy server, and a remediation server and based on security posture credentials, and access instructions, the computer-implemented method comprising:
-
intercepting, by the intercepting device, one or more messages sent by a computerized device requesting access to one of the resources in the network, the intercepting device comprising a data communications device; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credentials relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction at the intercepting device by operation of one or more computer processors, to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the intercepting device to grant the computerized device with access to the resources in the network; wherein responsive to an update to the accepted credential set after the computerized device is granted with access to the resources in the network, the intercepting device transmits a posture update query to the computerized device and forwards a posture update response from the posture program to the policy server, whereupon the policy server analyzes the posture update response relative to the updated credential set in order to determine an updated posture validation result for the computerized device and generates a restrict access instruction based on the updated posture validation result, wherein the restrict access instruction is applicable by the intercepting device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network.
-
-
53. A routing device to control access to computing resources in a network, by operating in conjunction with a policy server and a remediation server and based on security posture credentials and access instructions, the routing device comprising:
-
one or more computer processors; a memory containing a program which, when executed by the one or more computer processors, performs an operation comprising; intercepting one or more messages sent by a computerized device requesting access to one of the resources in the network; selecting, based on the resources for which access is requested, one or more challenge requests to provide to a posture program, whereupon the posture program evaluates a current security state of an application or component of the computing device in order to generate a security posture credential representing a current security state of the computerized device, wherein the posture program comprises at least one of;
(i) a posture agent executing on the computerized device;
(ii) a posture plug-in executing on the computerized device; and
(iii) an audit server operatively connected to the computerized device;subsequent to receiving the security posture credential, forwarding the security posture credential to the policy server, whereupon the policy server analyzes the security posture credential relative to an accepted credential set representing requirements of a security policy for accessing the resources, in order to determine a posture validation result indicating whether the computerized device satisfies the requirements of the security policy; wherein upon determining the posture validation result indicates that the computerized device does not satisfy the requirements of the security policy, the policy server generates a redirect access instruction specifying one or more remedial actions for the remediation server to perform in order to bring the computerized device into compliance with the security policy; and applying the redirect access instruction to communications traffic originating from the computerized device and destined for resources within the network, in order to grant the computerized device with access to the remediation server without including access to the resources in the network; wherein upon determining the posture validation result indicates that the computerized device satisfies the requirements of the security policy, or upon completion of the one or more remedial actions to bring the computerized device into compliance with the security policy, the policy server generates a grant access instruction applicable by the routing device to grant the computerized device with access to the resources in the network; wherein responsive to an update to the accepted credential set after the computerized device is granted with access to the resources in the network, the routing device transmits a posture update query to the computerized device and forwards a posture update response from the posture program to the policy server, whereupon the policy server analyzes the posture update response relative to the updated credential set in order to determine an updated posture validation result for the computerized device and generates a restrict access instruction based on the updated posture validation result, wherein the restrict access instruction is applicable by the routing device to limit or deny access to the resources in the network, wherein the restrict access instruction is not applicable to restrict routing of any communications traffic destined for locations outside the network.
-
Specification