The patent's assignee is
News editors obtained the following quote from the background information supplied by the inventors: "Concepts described herein relate generally to network access, and more particularly, to network access control systems.
"Organizations are continuously looking to prevent security threats from compromising their internal networks and endpoints (e.g., devices connected to the networks). When endpoints connect to an internal network, such as a proprietary corporate network, it is often desirable for the internal network to perform security checks of the connecting endpoints before granting the endpoint access to the internal network. The security checks may include checks relating to proof of identity of the user using the endpoint, proof of identity of the endpoint itself, and checks relating to the integrity status of the endpoint. The system that performs the security check and selectively grants access to endpoints will be referred to as an endpoint integrity system herein.
"The endpoint integrity system may check proof of identity of the user on an endpoint using, for example, password based checks. An integrity status check may include determining the relative purity of the endpoint from software, hardware, and configurations that are considered harmful to the endpoint itself and to other devices with which it interacts. Examples of harmful software that may be inadvertently downloaded onto an endpoint include computer viruses or Trojans.
"An endpoint integrity system may use evaluation modules to assist in the various proof of identity and integrity status checks. Each evaluation module may check a different aspect relating to the identity or integrity status of the endpoint. The results of the evaluation modules are then combined into an overall result for an endpoint.
"In existing systems, evaluation modules may return a multi-state result that defines the output of the evaluation module. For example, each evaluation module may return an indication that the result of the security policy implemented by the evaluation module is 'allow', 'no access', 'isolate', or 'no recommendation'. The results of the evaluation modules may then be combined to determine an overall result for the endpoint."
As a supplement to the background information on this patent application, VerticalNews correspondents also obtained the inventors' summary information for this patent application: "In one aspect, a network device includes evaluation modules configured to communicate with an endpoint device, the evaluation modules configured to generate policy results for the endpoint device, each of the policy results being configured to assume one of three or more states. Further, a result combination component combines the generated policy results from the plurality of evaluation modules to produce a combined Boolean policy result.
"In another aspect, a method includes receiving a request, from an endpoint, to initiate a connection. The method further includes interacting with the endpoint to obtain policy results relating to a security state of the endpoint, each of the policy results assuming one of three or more possible states. Further, the method includes combining the policy results to obtain a Boolean policy result based on a criterion defined by an expression in which the set of possible operands for the expression includes each of the possible states of the plurality of policy results.
"In yet another aspect, a system includes gateway logic to control access between an endpoint and a protected network and logic to interact with the endpoint to obtain policy results relating to a security state of the endpoint, each of the policy results assuming one of three or more possible states. The system further includes logic to combine the plurality of policy results to obtain a Boolean policy result and logic to control access to resources of the protected network for the endpoint based on the Boolean policy result.
BRIEF DESCRIPTION OF THE DRAWINGS
"The accompanying drawings, which are incorporated in and constitute a part of this specification, illustrate an embodiment of the invention and, together with the description, explain the invention. In the drawings,
"FIG. 1 is a diagram of an exemplary system;
"FIG. 2 is an exemplary block diagram of a device that may correspond to one of the devices shown in FIG. 1;
"FIG. 3 is a diagram conceptually illustrating exemplary interaction of an endpoint and a policy decision component in determining policy results for the endpoint;
"FIG. 4 is a diagram conceptually illustrating the operation of a policy decision component in combining policy results for an endpoint from multiple evaluation modules;
"FIG. 5 is a flowchart of exemplary operations of an endpoint integrity system; and
"FIG. 6 is a diagram of an exemplary interface presented by a network device for configuring criteria relating to how policy results are to be combined."
For additional information on this patent application, see: CHICKERING, Roger; HANNA, Stephen R.; FUNK, Paul; KOUGIOURIS, Panagiotis; KIRNER, Paul James. Combining Network Endpoint Policy Results. Filed
Keywords for this news article include: Software,
Our reports deliver fact-based news of research and discoveries from around the world. Copyright 2014, NewsRx LLC
Most Popular Stories
- Criminal Investigation Opened Into James Foley's Death
- McDonald's Names Another U.S. President
- U.S. Supporters of Islamic State Get Close Scrutiny
- Sahara Casino Rises Anew as SLS Las Vegas
- Job Market Shifts Complicate Yellen's Rate Decision
- Swiss Suicide Tourism Doubled Since 2009
- The Hip New Career? Farming
- Deere Announces New Round of Layoffs
- Chinese Coal Gas Boom Poses Climate Risks
- Dems Losing Fear of Obamacare