[go: up one dir, main page]

WO2008065648A2 - Systeme et procede d'autorisation de reseau par notation - Google Patents

Systeme et procede d'autorisation de reseau par notation Download PDF

Info

Publication number
WO2008065648A2
WO2008065648A2 PCT/IL2007/001457 IL2007001457W WO2008065648A2 WO 2008065648 A2 WO2008065648 A2 WO 2008065648A2 IL 2007001457 W IL2007001457 W IL 2007001457W WO 2008065648 A2 WO2008065648 A2 WO 2008065648A2
Authority
WO
WIPO (PCT)
Prior art keywords
score
grading
access
data elements
data
Prior art date
Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
Ceased
Application number
PCT/IL2007/001457
Other languages
English (en)
Other versions
WO2008065648A3 (fr
Inventor
Ofer Amitai
Nir Aran
Current Assignee (The listed assignees may be inaccurate. Google has not performed a legal analysis and makes no representation or warranty as to the accuracy of the list.)
DATANIN Ltd
Original Assignee
DATANIN Ltd
Priority date (The priority date is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the date listed.)
Filing date
Publication date
Priority claimed from US11/606,008 external-priority patent/US20080134296A1/en
Priority claimed from US11/606,009 external-priority patent/US8102860B2/en
Application filed by DATANIN Ltd filed Critical DATANIN Ltd
Publication of WO2008065648A2 publication Critical patent/WO2008065648A2/fr
Publication of WO2008065648A3 publication Critical patent/WO2008065648A3/fr
Anticipated expiration legal-status Critical
Ceased legal-status Critical Current

Links

Classifications

    • HELECTRICITY
    • H04ELECTRIC COMMUNICATION TECHNIQUE
    • H04LTRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
    • H04L63/00Network architectures or network communication protocols for network security
    • H04L63/10Network architectures or network communication protocols for network security for controlling access to devices or network resources

Definitions

  • the present invention relates to providing authorization or authentication for a device to access network.
  • Authorizing or authenticating a device to receive access to a network or network resource may be granted through a set of serial steps.
  • a device seeking access may include an agent, token, password or certificate that may be recognized by a network element.
  • the user may then be required to enter a first password to gain access to a PC system, a second password to gain access to a domain network and a third password to gain access to for example an application.
  • the device must be able to authenticate with many authentication level in order to access the desired network or application. A failure of any of such steps may prevent access of the user or the device from the accessing the resource or application.
  • a method of the invention may include receiving data elements from a device connected to a virtual network, grading or assigning a grade to indicate for example the existence or confirmation of a data element associated with the device, calculating a score for the device based on the grades, and authorizing access of the device if the score reaches a pre-defined level.
  • an element that may be included in the grading may be a request for access made during a certain time of day.
  • an element that may be included in the grading may be a MAC address or other unique identifier of the device that may recognized by a memory connected to the network.
  • an element that may be included in the grading may be a particular operating system that may be recognized by a memory.
  • a grading may be assigned based on a physical location, a host name address, an updated version of an anti-virus program or of a security patch, the presence of a hash file validation or of a particular software program that may be stored in or otherwise associated with the device.
  • one or more grades may be weighted, and the weighted grades may be calculated as the score for the device, hi some embodiments, one or more pre-defined policies may determine a weight of such data elements, hi some embodiments such weighting may be varied based on a presence, absence or condition of one or more of the data elements, or as a result of other conditions, hi some embodiments, a minimum score may be required for a device to be granted access to a network resource, hi some embodiments the minimum score may be varied according to a pre-determined policy.
  • a method may include calculating a score for a device that is seeking access to a network based on data elements of items or components in the device, granting access to a network resource if the score reaches a first level, and granting access to a second network resource if the score reaches a second level.
  • the required score may be varied to other levels if a particular condition is satisfied or if a sub-score level of certain elements is reached, hi some embodiments, a level or score may be varied based on for example a time that access to the network is sought by the device.
  • a system may include a memory that may store criteria for granting access to the network, and a processor that may collect data from the device, calculate a score based on the collected data elements and compare the calculated score to a pre-determined score.
  • Fig. 1 is a conceptual illustration of a system that may provide a device with access to a virtual network, and that may accept and grade a plurality of input elements from said device, in accordance with an embodiment of the invention
  • Fig. 2 is a conceptual illustration of a grading table for scoring an authorization calculation in accordance with an embodiment of the invention.
  • Fig. 3 is a flow diagram of a method in accordance with an embodiment of the invention. It will be appreciated that for simplicity and clarity of illustration, elements shown in the figures have not necessarily been drawn to scale. For example, the dimensions of some of the elements may be exaggerated relative to other elements for clarity.
  • Fig. 1 a conceptual illustration of a system to designate a virtual network that may link with a device connected to for example a port, in accordance with an embodiment of the invention.
  • an electronic device 100 such as for example a computer, internet telephone, laptop, server, switch, access point, personal digital assistant, email access device or other device, may connect or be connected to a network such as for example by plugging in to for example a port 102 or other outlet that may link to a network or network resource.
  • port 102 may provide a physical link such as a wired connection between a device 100 and a network device 104 such as for example a switch, router, firewall, access point or server, hi some embodiments, port 102 may be or include for example an access point to provide a wireless connection to a network device 104 or network resource component connected to a network, such as for example a policy enforcer 107, that may vary or change a network designation that is associated with device 100 or port 102.
  • policy enforcer 107 may be included in network device 104, and may create or designate first virtual network (VLAN) 113, that may serve for example as an inspection network or holding area that may include device 100 and port 102.
  • VLAN virtual network
  • Network device 104 may also have a connection to VLAN 113. hi some embodiments upon connection of a device 100 to port 102 or an association of a device 100 with a network element, a notification or link up SNMP trap may be sent from network device 104 to for example policy enforcer 107.
  • This notification message may include for example information indicating that a device 100 has connected with port 102, or may include other information.
  • Policy enforcer 107 may upon receiving such notification or at some other time, configure port 102 or the associated connection between device 100 and an access point, to be a member of a holding or inspection area VLAN, such for example VLAN 113, such that the connected device 100 and port 102 and the policy enforcer 107 will be connected together, but such that device 100 will not have access to other resources of the local area network. While device 100 and port 102 are connected in VLAN 113, other network resources such as network resource 108, may not be available to device 100, and no communication may be established between device 100 and a second layer of communication that may be known as layer 2.
  • data, signals or packets with a designation representing VLAN 113 may be sent by, to and among device 100, port 102, network element 104 and policy enforcer 107, while data, signals or packets having designations other than representing VLAN 113 may not be sent to or received by device 100 or port 102.
  • the designation of for example VLAN 113 may be recognized by network device 104 as designating only for example an inspection network and devices connected to it. hi Fig. 1, the elements included in inspection network using a designation representing VLAN 113, are conceptually illustrated by border 115. No such actual border need exist.
  • policy enforcer 107 may access more than one network or VLAN 113 such as for example LAN 114 or other VLANs.
  • data about characteristics of the device 100 or components included in the device 100, about port 102 or about other information related to the connection between device 100 and port 102 may be collected in or by a network element 104 that may be accessible to policy enforcer 107.
  • policy enforcer 107 or some other component associated with a network, may gather information regarding layer 2, for example media access control (MAC) of the connected device 100.
  • the method of collecting information regarding device 100 may include direct SNMP queries to device 100 to fetch the MAC address or other identifying information.
  • collecting data about device 100 or its components may be accomplished by passive probing of the device or transmissions sent by the device such as by for example DHCP relay, DHCP forward, and ARP listening /sniffing, hi some embodiments, data about device 100 may be collected by active probing such as by for example WMI Queries, WMI Callbacks, Remote registry, ARP scanning / sniffing, Query Switch ARP Table or port scanning. Other methods are possible. Policy enforcer 107 or some other component with access to for example VLAN 113, may query device 100 for further data that may identify device 100 as qualified to receive access to a network resource 108.
  • Such data or identifiers may include for example any, some or all of data elements 105 that may identify device 100 or a characteristic of device 100 such as for example a license number for a particular software package that may be installed on device 100, a password or authorization code of device 100, a date that device 100 was last updated with an anti-virus program, a date that device 100 last logged onto the network, or other data by which device 100 may be identified or that may be compared with data stored on for example policy manager 106.
  • querying of device 100 by policy enforcer 107 or some other component may be achieved using for example expect language, WMI, SNMP, device fingerprint or other known methods of device querying.
  • network device 104 or another device may accept and for example record one, some or all of the data elements 105 or information collected from device 100.
  • Policy enforcer 107 may query a policy server or policy manager 106 or other list, data base or set of rules or information to receive weights that may be applied to one or more of the data elements 105 that may have been received from device 100.
  • Policy enforcer 107 may include a memory 117 that may store one or more sets of weighting formulas that may be applied to the data elements received from device 100.
  • a processor 115 that may be connected to policy enforcer 107 may score the grades on the received data elements 105 in accordance with the weights stored in for example a memory of policy enforcer 107.
  • one or more weights of grades or data elements 105 may be varied such that a particular weight is assigned to a grade for a data element 105 in some circumstances, while another weight is used in other instances.
  • a policy enforcer 107 may grant device 100 with access to a first resource based on a first score, but may withhold access to a second resource or application if a second score is not reached by the device.
  • one or more sub-scores may also be calculated, and access to particular network elements or resources may be determined on the basis of such sub-scores or other criteria relating to the collected data elements. For example, a first score may be sufficient to grant device 100 with access to a network, but device 100 may be directed to an upgrading area where, in a remediation phase, an anti- virus program may be updated on the device 100. Once the upgrade is complete, device 100 may again attempt to gain access to the network, whereupon, a new score may be calculated that may also include the grade for the updated anti-virus program.
  • device 100 may not include an agent.
  • processor 115 that may be connected to for example VLAN 113 may probe, collect or obtain information about components such as software, identification data or other data about a device 100, directly from the components or items that are installed or saved on the device 100.
  • processor 115 may evaluate a packet or other unit of information that may be sent from device 100 over VLAN 113.
  • Such packet may include for example a MAC address of device 100, domain information of device 100, a hostname of device 100 and other information.
  • a processor may poll or collect information from any of a hash file validation, file of device 100, a list of driver files or execution files that may be stored on device 100 or other sources of information stored in device 100.
  • Some or all of the information collected by a processor may be included in the data elements 105 that may be evaluated as part of an authorization or authentication process.
  • a memory may store, record or calculate a table 200 that may include one or more data elements 202 relating to a device that may be connected to a port or a virtual network.
  • Data elements 202 may in some embodiments be inputted by for example a user or administrator of a network or may be pre-programmed into a memory, hi some embodiments, table 200 may be stored other than as a table, such as for example an array or other arrangement of memory.
  • One or more of data elements 202 may be associated with one or more weightings 204A and 204B, such that one or more of the grades 203 may be for example multiplied by a relevant weighting 204 to produce a score 206 for a particular data element 202.
  • a total score 208 for a device that may be connected to a virtual network may be calculated, and compared to a required score 210 for authentication and authorization of the device to gain access to a wider network such as a LAN.
  • policy manager 106 or policy enforcer 107 may change a designation of port 102, or other connection or association of device 100, from being a member in VLAN 113 to being for example connected to for example LAN 114.
  • the change in designation of port 102 from being a part of a VLAN 113 to being part of LAN 114 may let signals, packets or data sent to or received from device 100 or over port 102, reach other network resources 108. This change of designation may in effect grant device 100 with access to the wider network that may include network resources 108.
  • a processor that may be connected to a network such as for example a processor that may be in an authorization tool may probe a device that is connected to a port, and may receive one or more data elements from the device.
  • the data elements may include information about specific characteristics of the device such as for example a MAC address, a host name, an operating system running on the device, a hash file, an update date for patches or virus software and other information.
  • the processor may access a stored list of data elements and a relative importance of such elements in determining an authorization for the device. For example, a table or list of data elements to be received and evaluated by a processor may be input by a user such as an administrator, and the presence or satisfaction by the received data of a data element may be evaluated by the processor.
  • a processor may grade one or more of the listed data elements according to the data received from the device, and may record the grade in for example a table.
  • a grade may be or include a 1 if a data element received from the device is recognized by a network element such as a policy enforcer. Other grades may be used.
  • a processor may calculate a score for the device that may result from the grades assigned for the collected data elements.
  • one or more of the grades may be weighted in calculating a total score for the device. For example, a recognized MAC address may be assigned a first weight or importance if the device is attempting to gain access from a known location, but may be assigned a second weight if a device is attempting to gain access from a location that is not recognized.
  • a processor may compare a calculated score for a device to a required minimum score. In block 306, if the calculated score reaches or exceeds the required score, the device may be authorized to gain access to some or all additional network resources.
  • a user such as a network administrator may record more than one policy or weighting for a data element. For example, a grade for a known location may be given a first weight during working hours and a second weight during non-business hours. Other criteria may be considered in scoring or weighing a grade of a collected data element.
  • a minimum required score may be varied to account for a time or location of a requested access, hi some embodiments different minimum required scores may be required in order to gain access to particular network resources, hi some embodiments, a minimum required score for access to a network or network resource may be varied if a sub- score reaches a particular level. hi some embodiments, a satisfaction of a particular condition or criteria may result in a change of a minimum score that may be required to gain access to a particular resource.

Landscapes

  • Engineering & Computer Science (AREA)
  • Computer Hardware Design (AREA)
  • Computer Security & Cryptography (AREA)
  • Computing Systems (AREA)
  • General Engineering & Computer Science (AREA)
  • Computer Networks & Wireless Communication (AREA)
  • Signal Processing (AREA)
  • Data Exchanges In Wide-Area Networks (AREA)

Abstract

L'invention concerne un procédé et un système de classement d'éléments de données reçus d'un dispositif, et de notation des positions permettant de déterminer une autorisation d'accès à un réseau.
PCT/IL2007/001457 2006-11-30 2007-11-26 Systeme et procede d'autorisation de reseau par notation Ceased WO2008065648A2 (fr)

Applications Claiming Priority (4)

Application Number Priority Date Filing Date Title
US11/606,008 2006-11-30
US11/606,008 US20080134296A1 (en) 2006-11-30 2006-11-30 System and method of network authorization by scoring
US11/606,009 US8102860B2 (en) 2006-11-30 2006-11-30 System and method of changing a network designation in response to data received from a device
US11/606,009 2006-11-30

Publications (2)

Publication Number Publication Date
WO2008065648A2 true WO2008065648A2 (fr) 2008-06-05
WO2008065648A3 WO2008065648A3 (fr) 2009-04-23

Family

ID=39468351

Family Applications (1)

Application Number Title Priority Date Filing Date
PCT/IL2007/001457 Ceased WO2008065648A2 (fr) 2006-11-30 2007-11-26 Systeme et procede d'autorisation de reseau par notation

Country Status (1)

Country Link
WO (1) WO2008065648A2 (fr)

Family Cites Families (7)

* Cited by examiner, † Cited by third party
Publication number Priority date Publication date Assignee Title
US6687823B1 (en) * 1999-05-05 2004-02-03 Sun Microsystems, Inc. Cryptographic authorization with prioritized and weighted authentication
US6928480B1 (en) * 2000-09-19 2005-08-09 Nortel Networks Limited Networking device and method for providing a predictable membership scheme for policy-based VLANs
US7036148B2 (en) * 2001-05-08 2006-04-25 International Business Machines Corporation Method of operating an intrusion detection system according to a set of business rules
US7590684B2 (en) * 2001-07-06 2009-09-15 Check Point Software Technologies, Inc. System providing methodology for access control with cooperative enforcement
US7308714B2 (en) * 2001-09-27 2007-12-11 International Business Machines Corporation Limiting the output of alerts generated by an intrusion detection sensor during a denial of service attack
US7581249B2 (en) * 2003-11-14 2009-08-25 Enterasys Networks, Inc. Distributed intrusion response system
US7969901B2 (en) * 2004-08-12 2011-06-28 Lantiq Deutschland Gmbh Method and device for compensating for runtime fluctuations of data packets

Also Published As

Publication number Publication date
WO2008065648A3 (fr) 2009-04-23

Similar Documents

Publication Publication Date Title
US20080134296A1 (en) System and method of network authorization by scoring
US20120005729A1 (en) System and method of network authorization by scoring
US10313350B2 (en) Remote access to resources over a network
KR101669694B1 (ko) 네트워크 자원들에 대한 건강 기반 액세스
US8763076B1 (en) Endpoint management using trust rating data
US7340770B2 (en) System and methodology for providing community-based security policies
CN108886483B (zh) 用于自动装置检测的系统及方法
US8255973B2 (en) Provisioning remote computers for accessing resources
US8001610B1 (en) Network defense system utilizing endpoint health indicators and user identity
US8856911B2 (en) Methods, network services, and computer program products for recommending security policies to firewalls
US20150281277A1 (en) Network policy assignment based on user reputation score
US20060161970A1 (en) End point control
US20110055810A1 (en) Systems and methods for registering software management component types in a managed network
US12022296B2 (en) Network cyber-security platform
US20070283422A1 (en) Method, apparatus, and computer product for managing operation
CN101540755B (zh) 一种修复数据的方法、系统和装置
CN110855709A (zh) 安全接入网关的准入控制方法、装置、设备和介质
JP4664565B2 (ja) 加入者装置へのデータのダウンロードを制御する通信システム・アーキテクチャ及び方法
US20070198525A1 (en) Computer system with update-based quarantine
US20120317287A1 (en) System and method for management of devices accessing a network infrastructure via unmanaged network elements
US8102860B2 (en) System and method of changing a network designation in response to data received from a device
WO2008065648A2 (fr) Systeme et procede d'autorisation de reseau par notation
US20080127168A1 (en) Setup of workloads across nodes
CN112912879A (zh) 用于进程间安全消息传递的装置和方法
JP6800902B2 (ja) 情報処理装置、情報処理プログラム、記録媒体及び情報処理方法

Legal Events

Date Code Title Description
121 Ep: the epo has been informed by wipo that ep was designated in this application

Ref document number: 07827430

Country of ref document: EP

Kind code of ref document: A2

NENP Non-entry into the national phase

Ref country code: DE

122 Ep: pct application non-entry in european phase

Ref document number: 07827430

Country of ref document: EP

Kind code of ref document: A2