US20230009167A1 - Post-connection client certificate authentication - Google Patents
Post-connection client certificate authentication Download PDFInfo
- Publication number
- US20230009167A1 US20230009167A1 US17/870,244 US202217870244A US2023009167A1 US 20230009167 A1 US20230009167 A1 US 20230009167A1 US 202217870244 A US202217870244 A US 202217870244A US 2023009167 A1 US2023009167 A1 US 2023009167A1
- Authority
- US
- United States
- Prior art keywords
- network
- access control
- access
- endpoint
- client
- Prior art date
- Legal status (The legal status is an assumption and is not a legal conclusion. Google has not performed a legal analysis and makes no representation as to the accuracy of the status listed.)
- Pending
Links
- 238000000034 method Methods 0.000 claims description 37
- 238000012545 processing Methods 0.000 claims description 31
- 238000004891 communication Methods 0.000 claims description 23
- 230000004044 response Effects 0.000 claims description 4
- 238000012544 monitoring process Methods 0.000 claims description 3
- 230000008878 coupling Effects 0.000 claims 6
- 238000010168 coupling process Methods 0.000 claims 6
- 238000005859 coupling reaction Methods 0.000 claims 6
- 238000010586 diagram Methods 0.000 description 10
- 230000000694 effects Effects 0.000 description 9
- 238000011156 evaluation Methods 0.000 description 7
- 230000002155 anti-virotic effect Effects 0.000 description 4
- 230000008569 process Effects 0.000 description 3
- 238000013500 data storage Methods 0.000 description 2
- 238000013461 design Methods 0.000 description 2
- 238000010295 mobile communication Methods 0.000 description 2
- 230000003287 optical effect Effects 0.000 description 2
- 238000004088 simulation Methods 0.000 description 2
- 230000003068 static effect Effects 0.000 description 2
- 238000013475 authorization Methods 0.000 description 1
- 230000006399 behavior Effects 0.000 description 1
- 230000005540 biological transmission Effects 0.000 description 1
- 230000001413 cellular effect Effects 0.000 description 1
- 238000001514 detection method Methods 0.000 description 1
- 238000005516 engineering process Methods 0.000 description 1
- 230000006870 function Effects 0.000 description 1
- 230000003116 impacting effect Effects 0.000 description 1
- 230000007246 mechanism Effects 0.000 description 1
- 238000012986 modification Methods 0.000 description 1
- 230000004048 modification Effects 0.000 description 1
- 230000008520 organization Effects 0.000 description 1
- 230000002265 prevention Effects 0.000 description 1
- 238000000926 separation method Methods 0.000 description 1
Images
Classifications
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0823—Network architectures or network communication protocols for network security for authentication of entities using certificates
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/02—Network architectures or network communication protocols for network security for separating internal from external traffic, e.g. firewalls
- H04L63/0272—Virtual private networks
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/08—Network architectures or network communication protocols for network security for authentication of entities
- H04L63/0876—Network architectures or network communication protocols for network security for authentication of entities based on the identity of the terminal or configuration, e.g. MAC address, hardware or software configuration or device fingerprint
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/101—Access control lists [ACL]
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/10—Network architectures or network communication protocols for network security for controlling access to devices or network resources
- H04L63/105—Multiple levels of security
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04L—TRANSMISSION OF DIGITAL INFORMATION, e.g. TELEGRAPHIC COMMUNICATION
- H04L63/00—Network architectures or network communication protocols for network security
- H04L63/20—Network architectures or network communication protocols for network security for managing network security; network security policies in general
-
- H—ELECTRICITY
- H04—ELECTRIC COMMUNICATION TECHNIQUE
- H04W—WIRELESS COMMUNICATION NETWORKS
- H04W12/00—Security arrangements; Authentication; Protecting privacy or anonymity
- H04W12/06—Authentication
- H04W12/069—Authentication using certificates or pre-shared keys
Definitions
- This disclosure relates to the field of network monitoring and, in particular, to post-connection client certificate authentication in a communication network.
- FIG. 1 is a block diagram illustrating an exemplary network architecture in which embodiments of the present disclosure may be implemented.
- FIG. 2 is a block diagram illustrating a network access controller for post-connection client certificate authentication, according to an embodiment.
- FIG. 3 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment.
- FIG. 4 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment.
- FIG. 5 is a block diagram illustrating an exemplary computer system on which embodiments of the present disclosure may be implemented.
- a network access control (NAC) device is aimed at controlling which network resources each device connecting to the communication network can and cannot access. This determination is typically made via an evaluation of conditions, such as determining whether the connecting device is a corporate endpoint or a rogue device, or determining whether the corporate endpoint is patched and has a valid anti-virus program installed, or not. These factors, and potentially many others, can then lead the NAC device to grant the connecting device a certain level of access to the network.
- a common difficulty with NAC implementations is that with tighter security controls, the longer it may take to evaluate what sort of network access the device should be granted. Consequently, in order to provide a smooth experience for the user of the connecting device, the connecting device may often be granted access to the network as a default behavior, and only have the access removed should the evaluations determine that the endpoint should not have been granted access. This smooth experience may come at the expense of security, however.
- One method of providing a good user experience together with a high level of security is the 802.1x protocol which ensures connecting devices are authenticated using an X.509 digital certificate, or other credentials, prior to even gaining access to the network.
- the authentication process is comparatively fast, and a high level of security is maintained.
- 802.1x implementation prevent many organizations from deploying an 802.1x based network security system.
- One of the major drawbacks is the fail-closed nature of the protocol. In a fail-closed system, if the devices managing network access fail in any way (e.g., power outage, server crash), then all new connections to the network will be denied as a matter of policy until the network access control device comes back on-line. This is an acceptable security outcome but can severely damage the user experience.
- a network switch or wireless controller is configured such that when it detects a new connection to the communication network, it immediately applies an access control list (ACL) or wireless role to prevent the connecting device accessing any network resources except for the NAC device and potentially other resources, such as a dynamic host configuration protocol (DHCP) server, a domain name system (DNS) server, or other authentication server.
- ACL access control list
- DHCP dynamic host configuration protocol
- DNS domain name system
- a connection between the connecting device and the NAC device is immediately established.
- a NAC agent on the connecting device sends a communication request to the NAC device to establish the connection. If the connecting device is agentless, the NAC device may monitor network activity to detect the presence of the connecting device and establish the connection.
- the connecting device provides a client certificate in order to authenticate itself to the NAC device. If the client certificate is validated (e.g., is issued by the corresponding organization, has not expired, has not been revoked, etc.), using, for example, an SSL handshake, the NAC device grants the connecting device network access to certain network resources except, optionally, the most sensitive parts of the network. Further evaluation of the connecting device may be conducted by the NAC device to determine whether the device meets the traditional requirements for network access, such as patch level and anti-virus. If the device passes this evaluation, then any sensitive network restrictions may be removed. If the endpoint fails evaluation, then network access is once again restricted, and the digital certificate is optionally revoked.
- the client certificate is validated (e.g., is issued by the corresponding organization, has not expired, has not been revoked, etc.), using, for example, an SSL handshake
- the NAC device grants the connecting device network access to certain network resources except, optionally, the most sensitive parts of the network. Further evaluation of the connecting device may
- the embodiments described herein offer an acceptable level of security without negatively impacting the experience of users of devices connecting to the communication network.
- Corporate devices are able to be authenticated quickly and efficiently to grant access to network resources while unauthorized devices are prevented from gaining unsanctioned access.
- the network access control system is also configured for the implementation of a fail-open protocol. In a fail-open system, if the NAC device fails, then all new and pending connections to the network will be granted as a matter of policy until the NAC device comes back on-line. This prioritizes the user experience with the understanding that access can be revoked from any unauthorized devices at a later time.
- FIG. 1 is a block diagram illustrating an exemplary network architecture in which implementations of the present disclosure may be implemented.
- the network architecture 100 can include one or more endpoint devices 110 communicating with network access control (NAC) device 120 , and one or more other network resources 140 over one or more networks 150 , according to one embodiment.
- Network 150 can be a local area network (LAN), a wireless network, a telephone network, a mobile communications network, a wide area network (WAN), such as the Internet, or similar communication system and in one embodiment, may include a network switch 130 .
- LAN local area network
- WAN wide area network
- FIG. 1 is a block diagram illustrating an exemplary network architecture in which implementations of the present disclosure may be implemented.
- the network architecture 100 can include one or more endpoint devices 110 communicating with network access control (NAC) device 120 , and one or more other network resources 140 over one or more networks 150 , according to one embodiment.
- Network 150 can be a local area network (LAN), a wireless network, a telephone network,
- Endpoint device 110 also referred to herein as a client device or computing device, may be any type of computing device including a server computer, gateway computer, desktop computer, laptop computer, mobile communications device, cell phone, smart phone, hand-held computer, tablet computer, set-top-box or similar computing device. Endpoint device 110 may be variously configured with different features to enable access to and use of the various network resources 140 .
- Network resources 140 may include any resources accessible by endpoint device 110 over network 150 , such as an email server, an Internet server, a media server, hardware devices, virtual machines, or any other resources.
- endpoint device 110 includes NAC agent 112 .
- NAC agent 112 may be a hardware module, software module, or some combination thereof configured to gather information associated with endpoint device 110 and send that information to NAC device 120 .
- the information can include the operating system and version, firmware version, serial number, vendor (e.g., manufacturer), model, asset tag, software executing on a device (e.g., anti-virus software, malware detection software, office applications, web browser(s), communication applications, etc.), services that are active or configured on the device, ports that are open or that the device is configured to communicate with (e.g., associated with services running on the device), MAC address, processor utilization, unique identifiers, computer name, etc.
- NAC agent 112 may be configured to provide different levels and pieces of information based on device 110 and the information available to agent 112 from device 110 .
- NAC agent 112 may further be configured to establish a connection with NAC device 120 including sending a communication request upon connection of endpoint device 110 to network 150 .
- NAC agent 112 may provide a client certificate to NAC device 120 in response to a request in order to authenticate endpoint device 110 and allow endpoint device 110 access to network resources 140 .
- the client certificate may be a X.509 client certificate provided by certificate authority 160 . Certificate authority 160 may be connected to network 150 or may be accessible by endpoint device 110 through some other network connection.
- endpoint device 110 may connect to network 150 through switch 130 , as switch 130 may be part of the infrastructure of network 150 .
- switch 130 may be separately connected to network 150 but may monitor and control the network communications of endpoint device 110 .
- Switch 130 may include one or more network devices configured to facilitate communication among other network devices such as endpoint device 110 , NAC device 120 and network resources 140 .
- switch 130 may be referred to as an access control device and may include one or more network switches, access points, routers, firewalls, or hubs, a wireless controller, a virtual switch, etc.
- NAC device 120 may be configured for a variety of tasks including monitoring and controlling access for devices, such as endpoint device 110 , connected to network 150 .
- NAC device 120 may be a computing system, network device (e.g., router, firewall, access point), intrusion prevention system (IPS), intrusion detection system (IDS), deception device, cloud-based device, virtual machine based system, etc.
- IPS intrusion prevention system
- IDS intrusion detection system
- deception device e.g., cloud-based device, virtual machine based system, etc.
- cloud-based device e.g., virtual machine based system, etc.
- NAC device 120 may communicate with different network devices and security products to access information that may be used for authentication of devices coupled to network 150 .
- NAC device 120 may be communicatively coupled to switch 130 in such a way as to receive network traffic flowing through switch 130 (e.g., port mirroring).
- NAC device 120 includes network access (NA) controller 125 .
- NA controller 125 may be a hardware module, software module, or some combination thereof configured to implement the authorization protocol and determine what level of network access to grant to endpoint device 110 .
- NA controller 125 may communication with NAC agent 112 on endpoint device 110 and with switch 130 to control the network access. Additional details regarding the operation of NA controller 125 are described below with respect to FIGS. 2 - 4 .
- FIG. 2 is a block diagram illustrating a network access controller for post-connection client certificate authentication, according to an embodiment.
- NA controller 125 includes access control list manager 210 , NAC agent interface 215 , network activity monitor 220 , client certificate manager 225 and access policy manager 230 .
- This arrangement of modules may be a logical separation, and in other embodiments, these modules or other components can be combined together or separated in further components.
- NAC device 120 may include NA controller 125 and data store 240 .
- data store 240 may be external to NAC device 120 and may be connected to NAC device 120 over a network or other connection.
- NAC device 120 may include different and/or additional components which are not shown to simplify the description.
- Data store 240 may include one or more mass storage devices which can include, for example, flash memory, magnetic or optical disks, or tape drives; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or any other type of storage medium.
- mass storage devices can include, for example, flash memory, magnetic or optical disks, or tape drives; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or any other type of storage medium.
- access control list manager 210 creates, manages and applies an access control list (ACL) 242 to switch 130 to control what network resources 140 a particular device (e.g., endpoint device 110 ) or group of devices has access to over network 150 .
- ACL access control list
- the access control list 242 includes rules that are applied to port numbers or IP addresses that are available in network 150 , each with a list of devices and/or networks permitted to use the corresponding resources or services.
- the access control list 242 can generally be configured to control both inbound and outbound traffic, similar to a firewall.
- module 210 may implement other forms of access control, such as a virtual local area network (VLAN) assignment, virtual role, virtual firewall or other solution, that limits which resources in the network a particular device can access.
- VLAN virtual local area network
- access control list manager 210 preconfigures switch 130 with an access control list 242 , or a VLAN assignment, to be applied to any newly connected device, such as endpoint device 110 .
- the preconfigured access control list 242 may cause switch 130 to restrict the access of endpoint device 110 to all of network resources 140 .
- the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated.
- access control list manager 210 may update the access control list 242 applied to switch 130 or apply a new access control list to switch 130 to grant endpoint device 110 access to more or all of network resources 140 .
- the configuration described above thus represents a fail-open configuration.
- NAC agent interface 215 manages communication between NA controller 125 and NAC agent 112 on endpoint device 110 .
- NAC agent interface 215 receives a communication request from NAC agent 112 upon connection of endpoint device 110 to network 150 .
- NAC agent interface 215 may receive a client certificate from NAC agent 112 , which may be used to authenticate endpoint device 110 and determine whether endpoint device 110 is a corporate device.
- NAC agent interface 215 may perform a client certificate handshake operation, such as a secure sockets layer (SSL) or transport layer security (TLS) handshake using a secured transmission control protocol (TCP) connection, to determine communication protocols, encryption information, exchange certificates, and authenticate endpoint device 110 .
- SSL secure sockets layer
- TLS transport layer security
- TCP transmission control protocol
- some other security token may be used, such as a symmetric key, asymetric public/private key pair, etc.
- network activity monitor 220 monitors activity across network 150 or through switch 130 to detect the presence of newly connected devices. Certain endpoint devices may not be equipped with a NAC agent and thus, may not be configured to establish a connection with NAC device 120 to be authenticated. Network activity monitor 220 can monitor packets sent over network 150 , read source and destination IP addresses, and compare those addresses with a list of known devices to determine whether a new device has been connected. In another embodiment, network activity monitor 220 may detect the presence of a device in some other fashion, such as by receiving traps from the switch 130 . If a new device is detected that has not been authenticated, network activity monitor 220 can notify client certificate manager 225 so that the device can be authenticated.
- client certificate manager 225 receives the client certificate (e.g., an X.509 certificate), or some other verifiable identifier or token, and uses the certificate to authenticate the corresponding device, such as endpoint device 110 .
- the client certificate received from the endpoint device 110 may include a subject name, a client public key and a digital signature of the client public key, signed by a certificate authority 160 .
- Client certificate manager 225 retrieves a certificate authority certificate comprising a certificate authority (CA) public key from the certificate authority 160 and uses the CA public key to verify the digital signature from the client certificate and to check whether the certificate has expired or been revoked. Once verified, client certificate manager 225 can verify the client subject name using the client public key and determine that the corresponding endpoint device 110 is authenticated and can notify access control list manager 210 to update the access permissions for endpoint device 110 .
- CA certificate authority
- access policy manager 230 performs an additional evaluation of an authenticated endpoint device 110 using access policy data 244 to determine an appropriate level of network access to be granted.
- Access policy data 244 may define a number of conditions to be evaluated, the results of which may affect which network resources 140 are accessible by the endpoint device.
- the conditions may correspond to information about the endpoint device including, for example, the operating system and version, firmware version, serial number, vendor (e.g., manufacturer), model, asset tag, software executing on a device (e.g., anti-virus software, malware detection software, office applications, web browser(s), communication applications, etc.), services that are active or configured on the device, ports that are open or that the device is configured to communicate with (e.g., associated with services running on the device), MAC address, processor utilization, unique identifiers, computer name, etc.
- the conditions may also include a time and/or location of the connection request, a number of connection requests from the endpoint device, a user account associated with the endpoint device or other information.
- FIG. 3 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment.
- the method 300 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), firmware or a combination thereof.
- the method 300 can be used to authenticate an endpoint device 110 connected to network 150 and determine a level of access to grant endpoint device 110 to network resources 140 .
- method 300 may be performed by NA controller 125 , as shown in FIGS. 1 and 2 .
- method 300 detects a connection of an endpoint device 110 at a network switch 130 coupled to a network 150 .
- method 300 restricts access of the endpoint device 110 to prevent the endpoint device 110 from accessing resources 140 of the network.
- access control list manager 210 preconfigures network switch 130 with an access control list 242 that restricts the access of endpoint device 110 to all of network resources 140 . Initially, upon connection, the access control list 242 may grant endpoint device 110 access only to network access control device 120 until endpoint device 110 can be authenticated. This may prevent the endpoint device 110 from accessing any network resources 140 except for the NAC device 120 .
- all ports on switch 130 may be already configured in a “restrict” mode.
- endpoint device 110 would be restricted from accessing network resources 140 even before connecting to network 150 .
- the occurrence of the operations at block 310 is optional with respect to block 320 , as block 320 may restrict access on a switch port regardless of whether or not an endpoint device was detected at block 310 .
- method 300 establishes a connection between NAC device 120 and the endpoint device 110 .
- endpoint device 110 includes a NAC agent 112
- NAC agent interface 215 may receive a communication request from NAC agent 112 upon connection of endpoint device 110 to network 150 .
- NAC agent interface 215 may perform a secure sockets layer (SSL) or transport layer security (TLS) handshake to determine communication protocols, encryption information, exchange certificates, and authenticate endpoint device 110 .
- SSL secure sockets layer
- TLS transport layer security
- network activity monitor 220 can monitor activity across network 150 or through switch 130 to detect the presence of endpoint device 110 and then establish a connection in order to authenticate endpoint device 110 .
- method 300 validates a client certificate corresponding to the endpoint device 110 to authenticate the endpoint device 110 as a corporate device.
- client certificate manager 225 receives the client certificate (e.g., an X.509 certificate) and uses the certificate to authenticate endpoint device 110 . Additional details of the authentication process are described below with respect to FIG. 4 .
- method 300 grants the endpoint device 110 access to the resources 140 of the network.
- client certificate manager 225 can determine that the corresponding endpoint device 110 is authenticated and can notify access control list manager 210 to update the access permissions for endpoint device 110 .
- Access control list manager 210 may update the access control list 242 applied to switch 130 or apply a new access control list to switch 130 to grant endpoint device 110 access to more or all of network resources 140 .
- the resources to which access is granted may be defined by access policy manager 230 .
- Access policy manager 230 performs an additional evaluation of an authenticated endpoint device 110 using access policy data 244 to determine an appropriate level of network access to be granted.
- FIG. 4 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment.
- the method 400 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), firmware or a combination thereof.
- the method 400 can be used to authenticate an endpoint device 110 connected to network 150 and determine a level of access to grant endpoint device 110 to network resources 140 .
- method 400 may be performed by NA controller 125 , as shown in FIGS. 1 and 2 .
- method 400 receives the client certificate from the endpoint device 110 , the client certificate comprising a subject name, a client public key and a digital signature of the client public key, signed by a certificate authority 160 .
- the client certificate includes a digital signature of some unique item. For example, in HTTPS, there could be a digital signature of a DNS name of the server. Verifying the digital signature ensures the client that the web server is authentic.
- the unique item could be the username of a user logged in to the endpoint device 110 , or the hostname of the endpoint device 110 .
- method 400 retrieves a certificate authority certificate from the certificate authority 160 , the certificate authority certificate comprising a certificate authority (CA) public key.
- method 400 verifies the digital signature of the client public key using the certificate authority public key.
- method 400 verifies the client subject name using the client public key.
- FIG. 5 illustrates a diagrammatic representation of a machine in the example form of a computer system 500 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed.
- the machine may be connected (e.g., networked) to other machines in a local area network (LAN), an intranet, an extranet, or the Internet.
- the machine may operate in the capacity of a server or a client machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment.
- the machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a hub, an access point, a network access control device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
- PC personal computer
- PDA Personal Digital Assistant
- STB set-top box
- a cellular telephone a web appliance
- server a network router, a switch or bridge, a hub, an access point, a network access control device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine.
- machine shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein.
- computer system 500 may be representative of a server, such as network access
- the exemplary computer system 500 includes a processing device 502 , a main memory 504 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 518 , which communicate with each other via a bus 530 .
- main memory 504 e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.
- SRAM static random access memory
- Any of the signals provided over various buses described herein may be time multiplexed with other signals and provided over one or more common buses.
- the interconnection between circuit components or blocks may be shown as buses or as single signal lines. Each of the buses may alternatively be one or more single signal lines and each of the single signal lines may alternatively be buses.
- Processing device 502 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computer (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets. Processing device 502 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. The processing device 502 is configured to execute processing logic 526 , which includes NAC controller 125 as shown in FIG. 2 , for performing the operations and steps discussed herein.
- processing logic 526 includes NAC controller 125 as shown in FIG. 2 , for performing the operations and steps discussed herein.
- the data storage device 518 may include a machine-readable storage medium 528 , on which is stored one or more set of instructions 522 (e.g., software) embodying any one or more of the methodologies of functions described herein, including instructions to cause the processing device 502 to execute NAC controller 125 .
- the instructions 522 may also reside, completely or at least partially, within the main memory 504 and/or within the processing device 502 during execution thereof by the computer system 500 ; the main memory 504 and the processing device 502 also constituting machine-readable storage media.
- the instructions 522 may further be transmitted or received over a network 520 via the network interface device 508 .
- the machine-readable storage medium 528 may also be used to store instructions to perform a method for client certificate authentication, as described herein. While the machine-readable storage medium 528 is shown in an exemplary embodiment to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions.
- a machine-readable medium includes any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer).
- the machine-readable medium may include, but is not limited to, magnetic storage medium (e.g., floppy diskette); optical storage medium (e.g., CD-ROM); magneto-optical storage medium; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or another type of medium suitable for storing electronic instructions.
- magnetic storage medium e.g., floppy diskette
- optical storage medium e.g., CD-ROM
- magneto-optical storage medium e.g., magneto-optical storage medium
- ROM read-only memory
- RAM random-access memory
- EPROM and EEPROM erasable programmable memory
- flash memory or another type of medium suitable for storing electronic instructions.
- some embodiments may be practiced in distributed computing environments where the machine-readable medium is stored on and or executed by more than one computer system.
- the information transferred between computer systems may either be pulled or pushed across the communication medium connecting the computer systems.
- Embodiments of the claimed subject matter include, but are not limited to, various operations described herein. These operations may be performed by hardware components, software, firmware, or a combination thereof.
- the term “or” is intended to mean an inclusive “or” rather than an exclusive “or”. That is, unless specified otherwise, or clear from context, “X includes A or B” is intended to mean any of the natural inclusive permutations. That is, if X includes A; X includes B; or X includes both A and B, then “X includes A or B” is satisfied under any of the foregoing instances.
- the articles “a” and “an” as used in this application and the appended claims should generally be construed to mean “one or more” unless specified otherwise or clear from context to be directed to a singular form.
Landscapes
- Engineering & Computer Science (AREA)
- Computer Security & Cryptography (AREA)
- Computer Networks & Wireless Communication (AREA)
- Signal Processing (AREA)
- Computer Hardware Design (AREA)
- Computing Systems (AREA)
- General Engineering & Computer Science (AREA)
- Power Engineering (AREA)
- Data Exchanges In Wide-Area Networks (AREA)
Abstract
Description
- This application is a continuation of U.S. application Ser. No. 16/710,822, filed Dec. 11, 2019, which is a continuation of U.S. application Ser. No. 15/383,230, filed Dec. 19, 2016, the entire contents of each of which are hereby incorporated by reference.
- This disclosure relates to the field of network monitoring and, in particular, to post-connection client certificate authentication in a communication network.
- As technology advances, the number and variety of devices that are connected to communication networks are rapidly increasing. Authentication of devices connected to a network can be useful for securing the communication network in order to prevent unauthorized or rogue devices from accessing network resources. Current authentication solutions are limited and narrow in their authentication abilities and are often time consuming processes that negatively affect the user experience. In addition, some current solutions are also cumbersome to configure and require precise configuration of many different network components.
- Aspects and embodiments of the present disclosure will be understood more fully from the detailed description given below and from the accompanying drawings. The present disclosure is illustrated by way of example, and not by way of limitation, in the figures of the accompanying drawings.
-
FIG. 1 is a block diagram illustrating an exemplary network architecture in which embodiments of the present disclosure may be implemented. -
FIG. 2 is a block diagram illustrating a network access controller for post-connection client certificate authentication, according to an embodiment. -
FIG. 3 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment. -
FIG. 4 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment. -
FIG. 5 is a block diagram illustrating an exemplary computer system on which embodiments of the present disclosure may be implemented. - Embodiments are described for post-connection client certificate authentication in a communication network. In one embodiment, a network access control (NAC) device is aimed at controlling which network resources each device connecting to the communication network can and cannot access. This determination is typically made via an evaluation of conditions, such as determining whether the connecting device is a corporate endpoint or a rogue device, or determining whether the corporate endpoint is patched and has a valid anti-virus program installed, or not. These factors, and potentially many others, can then lead the NAC device to grant the connecting device a certain level of access to the network.
- A common difficulty with NAC implementations, however, is that with tighter security controls, the longer it may take to evaluate what sort of network access the device should be granted. Consequently, in order to provide a smooth experience for the user of the connecting device, the connecting device may often be granted access to the network as a default behavior, and only have the access removed should the evaluations determine that the endpoint should not have been granted access. This smooth experience may come at the expense of security, however.
- One method of providing a good user experience together with a high level of security is the 802.1x protocol which ensures connecting devices are authenticated using an X.509 digital certificate, or other credentials, prior to even gaining access to the network. The authentication process is comparatively fast, and a high level of security is maintained. There are, however, many complications with 802.1x implementation that prevent many organizations from deploying an 802.1x based network security system. One of the major drawbacks is the fail-closed nature of the protocol. In a fail-closed system, if the devices managing network access fail in any way (e.g., power outage, server crash), then all new connections to the network will be denied as a matter of policy until the network access control device comes back on-line. This is an acceptable security outcome but can severely damage the user experience.
- The embodiments described herein provide an alternative to the pre-connect 802.1x protocol, using a post-connect paradigm. These embodiments utilize a working Public-Private Key Infrastructure with X.509 client certificates installed on connecting corporate endpoints. In one embodiment, a network switch or wireless controller (WLC) is configured such that when it detects a new connection to the communication network, it immediately applies an access control list (ACL) or wireless role to prevent the connecting device accessing any network resources except for the NAC device and potentially other resources, such as a dynamic host configuration protocol (DHCP) server, a domain name system (DNS) server, or other authentication server. A connection between the connecting device and the NAC device is immediately established. In one embodiment, a NAC agent on the connecting device sends a communication request to the NAC device to establish the connection. If the connecting device is agentless, the NAC device may monitor network activity to detect the presence of the connecting device and establish the connection.
- In one embodiment, the connecting device provides a client certificate in order to authenticate itself to the NAC device. If the client certificate is validated (e.g., is issued by the corresponding organization, has not expired, has not been revoked, etc.), using, for example, an SSL handshake, the NAC device grants the connecting device network access to certain network resources except, optionally, the most sensitive parts of the network. Further evaluation of the connecting device may be conducted by the NAC device to determine whether the device meets the traditional requirements for network access, such as patch level and anti-virus. If the device passes this evaluation, then any sensitive network restrictions may be removed. If the endpoint fails evaluation, then network access is once again restricted, and the digital certificate is optionally revoked.
- The embodiments described herein offer an acceptable level of security without negatively impacting the experience of users of devices connecting to the communication network. Corporate devices are able to be authenticated quickly and efficiently to grant access to network resources while unauthorized devices are prevented from gaining unsanctioned access. The network access control system is also configured for the implementation of a fail-open protocol. In a fail-open system, if the NAC device fails, then all new and pending connections to the network will be granted as a matter of policy until the NAC device comes back on-line. This prioritizes the user experience with the understanding that access can be revoked from any unauthorized devices at a later time.
-
FIG. 1 is a block diagram illustrating an exemplary network architecture in which implementations of the present disclosure may be implemented. Thenetwork architecture 100 can include one ormore endpoint devices 110 communicating with network access control (NAC)device 120, and one or moreother network resources 140 over one ormore networks 150, according to one embodiment. Network 150 can be a local area network (LAN), a wireless network, a telephone network, a mobile communications network, a wide area network (WAN), such as the Internet, or similar communication system and in one embodiment, may include anetwork switch 130.Endpoint device 110, also referred to herein as a client device or computing device, may be any type of computing device including a server computer, gateway computer, desktop computer, laptop computer, mobile communications device, cell phone, smart phone, hand-held computer, tablet computer, set-top-box or similar computing device.Endpoint device 110 may be variously configured with different features to enable access to and use of thevarious network resources 140.Network resources 140 may include any resources accessible byendpoint device 110 overnetwork 150, such as an email server, an Internet server, a media server, hardware devices, virtual machines, or any other resources. - In one embodiment,
endpoint device 110 includesNAC agent 112.NAC agent 112 may be a hardware module, software module, or some combination thereof configured to gather information associated withendpoint device 110 and send that information toNAC device 120. The information can include the operating system and version, firmware version, serial number, vendor (e.g., manufacturer), model, asset tag, software executing on a device (e.g., anti-virus software, malware detection software, office applications, web browser(s), communication applications, etc.), services that are active or configured on the device, ports that are open or that the device is configured to communicate with (e.g., associated with services running on the device), MAC address, processor utilization, unique identifiers, computer name, etc. NACagent 112 may be configured to provide different levels and pieces of information based ondevice 110 and the information available toagent 112 fromdevice 110. In one embodiment,NAC agent 112 may further be configured to establish a connection withNAC device 120 including sending a communication request upon connection ofendpoint device 110 tonetwork 150. In addition,NAC agent 112 may provide a client certificate toNAC device 120 in response to a request in order to authenticateendpoint device 110 and allowendpoint device 110 access tonetwork resources 140. In one embodiment, the client certificate may be a X.509 client certificate provided bycertificate authority 160.Certificate authority 160 may be connected tonetwork 150 or may be accessible byendpoint device 110 through some other network connection. - In one embodiment,
endpoint device 110 may connect tonetwork 150 throughswitch 130, asswitch 130 may be part of the infrastructure ofnetwork 150. In another embodiment,switch 130 may be separately connected tonetwork 150 but may monitor and control the network communications ofendpoint device 110.Switch 130 may include one or more network devices configured to facilitate communication among other network devices such asendpoint device 110,NAC device 120 andnetwork resources 140. Depending on the embodiment, switch 130 may be referred to as an access control device and may include one or more network switches, access points, routers, firewalls, or hubs, a wireless controller, a virtual switch, etc. -
NAC device 120 may be configured for a variety of tasks including monitoring and controlling access for devices, such asendpoint device 110, connected tonetwork 150.NAC device 120 may be a computing system, network device (e.g., router, firewall, access point), intrusion prevention system (IPS), intrusion detection system (IDS), deception device, cloud-based device, virtual machine based system, etc.NAC device 120 may communicate with different network devices and security products to access information that may be used for authentication of devices coupled tonetwork 150.NAC device 120 may be communicatively coupled to switch 130 in such a way as to receive network traffic flowing through switch 130 (e.g., port mirroring). - In one embodiment,
NAC device 120 includes network access (NA)controller 125.NA controller 125 may be a hardware module, software module, or some combination thereof configured to implement the authorization protocol and determine what level of network access to grant toendpoint device 110. In one embodiment,NA controller 125 may communication withNAC agent 112 onendpoint device 110 and withswitch 130 to control the network access. Additional details regarding the operation ofNA controller 125 are described below with respect toFIGS. 2-4 . -
FIG. 2 is a block diagram illustrating a network access controller for post-connection client certificate authentication, according to an embodiment. In one embodiment,NA controller 125 includes accesscontrol list manager 210,NAC agent interface 215,network activity monitor 220,client certificate manager 225 andaccess policy manager 230. This arrangement of modules may be a logical separation, and in other embodiments, these modules or other components can be combined together or separated in further components. In one embodiment,NAC device 120 may includeNA controller 125 anddata store 240. In another embodiment,data store 240 may be external toNAC device 120 and may be connected toNAC device 120 over a network or other connection. In other embodiments,NAC device 120 may include different and/or additional components which are not shown to simplify the description.Data store 240 may include one or more mass storage devices which can include, for example, flash memory, magnetic or optical disks, or tape drives; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or any other type of storage medium. - In one embodiment, access
control list manager 210 creates, manages and applies an access control list (ACL) 242 to switch 130 to control what network resources 140 a particular device (e.g., endpoint device 110) or group of devices has access to overnetwork 150. In one embodiment theaccess control list 242 includes rules that are applied to port numbers or IP addresses that are available innetwork 150, each with a list of devices and/or networks permitted to use the corresponding resources or services. Theaccess control list 242 can generally be configured to control both inbound and outbound traffic, similar to a firewall. In other embodiments,module 210 may implement other forms of access control, such as a virtual local area network (VLAN) assignment, virtual role, virtual firewall or other solution, that limits which resources in the network a particular device can access. In one embodiment, accesscontrol list manager 210 preconfigures switch 130 with anaccess control list 242, or a VLAN assignment, to be applied to any newly connected device, such asendpoint device 110. The preconfiguredaccess control list 242 may causeswitch 130 to restrict the access ofendpoint device 110 to all ofnetwork resources 140. Initially, upon connection, theaccess control list 242 may grantendpoint device 110 access only to networkaccess control device 120 untilendpoint device 110 can be authenticated. Onceendpoint device 110 is authenticated, accesscontrol list manager 210 may update theaccess control list 242 applied to switch 130 or apply a new access control list to switch 130 to grantendpoint device 110 access to more or all ofnetwork resources 140. The configuration described above thus represents a fail-open configuration. Since all ports onswitch 130 are initially configured in an “open” mode, only being restricted when a new device is connected, ifNAC device 120 suffers a failure, and is unable to restrict the ports, all new and pending connections to thenetwork 150 will be granted as a matter of policy untilNAC device 120 comes back on-line. In another embodiment, however, the system may have a fail-closed configuration. In this arrangement, all ports onswitch 130 are configured in a “restrict” mode (even when nothing is connected to the port). Thus, ifNAC device 120 is unable to open the ports open connection of a new device, all connection attempts will be denied. - In one embodiment,
NAC agent interface 215 manages communication betweenNA controller 125 andNAC agent 112 onendpoint device 110. In one embodiment,NAC agent interface 215 receives a communication request fromNAC agent 112 upon connection ofendpoint device 110 tonetwork 150. In addition,NAC agent interface 215 may receive a client certificate fromNAC agent 112, which may be used to authenticateendpoint device 110 and determine whetherendpoint device 110 is a corporate device. For example,NAC agent interface 215 may perform a client certificate handshake operation, such as a secure sockets layer (SSL) or transport layer security (TLS) handshake using a secured transmission control protocol (TCP) connection, to determine communication protocols, encryption information, exchange certificates, and authenticateendpoint device 110. In other embodiments, some other security token may be used, such as a symmetric key, asymetric public/private key pair, etc. - In one embodiment, network activity monitor 220 monitors activity across
network 150 or throughswitch 130 to detect the presence of newly connected devices. Certain endpoint devices may not be equipped with a NAC agent and thus, may not be configured to establish a connection withNAC device 120 to be authenticated. Network activity monitor 220 can monitor packets sent overnetwork 150, read source and destination IP addresses, and compare those addresses with a list of known devices to determine whether a new device has been connected. In another embodiment, network activity monitor 220 may detect the presence of a device in some other fashion, such as by receiving traps from theswitch 130. If a new device is detected that has not been authenticated, network activity monitor 220 can notifyclient certificate manager 225 so that the device can be authenticated. - In one embodiment,
client certificate manager 225 receives the client certificate (e.g., an X.509 certificate), or some other verifiable identifier or token, and uses the certificate to authenticate the corresponding device, such asendpoint device 110. In one embodiment, the client certificate received from theendpoint device 110 may include a subject name, a client public key and a digital signature of the client public key, signed by acertificate authority 160.Client certificate manager 225 retrieves a certificate authority certificate comprising a certificate authority (CA) public key from thecertificate authority 160 and uses the CA public key to verify the digital signature from the client certificate and to check whether the certificate has expired or been revoked. Once verified,client certificate manager 225 can verify the client subject name using the client public key and determine that thecorresponding endpoint device 110 is authenticated and can notify accesscontrol list manager 210 to update the access permissions forendpoint device 110. - In one embodiment,
access policy manager 230 performs an additional evaluation of an authenticatedendpoint device 110 usingaccess policy data 244 to determine an appropriate level of network access to be granted.Access policy data 244 may define a number of conditions to be evaluated, the results of which may affect which networkresources 140 are accessible by the endpoint device. The conditions may correspond to information about the endpoint device including, for example, the operating system and version, firmware version, serial number, vendor (e.g., manufacturer), model, asset tag, software executing on a device (e.g., anti-virus software, malware detection software, office applications, web browser(s), communication applications, etc.), services that are active or configured on the device, ports that are open or that the device is configured to communicate with (e.g., associated with services running on the device), MAC address, processor utilization, unique identifiers, computer name, etc. The conditions may also include a time and/or location of the connection request, a number of connection requests from the endpoint device, a user account associated with the endpoint device or other information. -
FIG. 3 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment. Themethod 300 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), firmware or a combination thereof. Themethod 300 can be used to authenticate anendpoint device 110 connected to network 150 and determine a level of access to grantendpoint device 110 to networkresources 140. In one embodiment,method 300 may be performed byNA controller 125, as shown inFIGS. 1 and 2 . - Referring to
FIG. 3 , atblock 310,method 300 detects a connection of anendpoint device 110 at anetwork switch 130 coupled to anetwork 150. Atblock 320,method 300 restricts access of theendpoint device 110 to prevent theendpoint device 110 from accessingresources 140 of the network. In one embodiment, accesscontrol list manager 210 preconfiguresnetwork switch 130 with anaccess control list 242 that restricts the access ofendpoint device 110 to all ofnetwork resources 140. Initially, upon connection, theaccess control list 242 may grantendpoint device 110 access only to networkaccess control device 120 untilendpoint device 110 can be authenticated. This may prevent theendpoint device 110 from accessing anynetwork resources 140 except for theNAC device 120. In another embodiment where the system uses a fail-closed configuration, all ports onswitch 130 may be already configured in a “restrict” mode. Thus,endpoint device 110 would be restricted from accessingnetwork resources 140 even before connecting tonetwork 150. In one embodiment, the occurrence of the operations atblock 310 is optional with respect to block 320, asblock 320 may restrict access on a switch port regardless of whether or not an endpoint device was detected atblock 310. - At
block 330,method 300 establishes a connection betweenNAC device 120 and theendpoint device 110. Ifendpoint device 110 includes aNAC agent 112,NAC agent interface 215 may receive a communication request fromNAC agent 112 upon connection ofendpoint device 110 tonetwork 150.NAC agent interface 215 may perform a secure sockets layer (SSL) or transport layer security (TLS) handshake to determine communication protocols, encryption information, exchange certificates, and authenticateendpoint device 110. Ifendpoint device 110 is not equipped with a NAC agent, network activity monitor 220 can monitor activity acrossnetwork 150 or throughswitch 130 to detect the presence ofendpoint device 110 and then establish a connection in order to authenticateendpoint device 110. - At
block 340,method 300 validates a client certificate corresponding to theendpoint device 110 to authenticate theendpoint device 110 as a corporate device. In one embodiment,client certificate manager 225 receives the client certificate (e.g., an X.509 certificate) and uses the certificate to authenticateendpoint device 110. Additional details of the authentication process are described below with respect toFIG. 4 . - At
block 350,method 300 grants theendpoint device 110 access to theresources 140 of the network. Once verified,client certificate manager 225 can determine that thecorresponding endpoint device 110 is authenticated and can notify accesscontrol list manager 210 to update the access permissions forendpoint device 110. Accesscontrol list manager 210 may update theaccess control list 242 applied to switch 130 or apply a new access control list to switch 130 to grantendpoint device 110 access to more or all ofnetwork resources 140. The resources to which access is granted may be defined byaccess policy manager 230.Access policy manager 230 performs an additional evaluation of an authenticatedendpoint device 110 usingaccess policy data 244 to determine an appropriate level of network access to be granted. -
FIG. 4 is a flow diagram illustrating a method for post-connection client certificate authentication, according to an embodiment. Themethod 400 may be performed by processing logic that comprises hardware (e.g., circuitry, dedicated logic, programmable logic, microcode, etc.), software (e.g., instructions run on a processing device to perform hardware simulation), firmware or a combination thereof. Themethod 400 can be used to authenticate anendpoint device 110 connected to network 150 and determine a level of access to grantendpoint device 110 to networkresources 140. In one embodiment,method 400 may be performed byNA controller 125, as shown inFIGS. 1 and 2 . - Referring to
FIG. 4 , atblock 410,method 400 receives the client certificate from theendpoint device 110, the client certificate comprising a subject name, a client public key and a digital signature of the client public key, signed by acertificate authority 160. In one embodiment, the client certificate includes a digital signature of some unique item. For example, in HTTPS, there could be a digital signature of a DNS name of the server. Verifying the digital signature ensures the client that the web server is authentic. Depending on the embodiment, the unique item could be the username of a user logged in to theendpoint device 110, or the hostname of theendpoint device 110. When an X.509 certificate is used, this unique item is referred to as “Subject Name.” In other embodiments, a fingerprint of the certificate or a secret code stored in a registry may be used. At block 420,method 400 retrieves a certificate authority certificate from thecertificate authority 160, the certificate authority certificate comprising a certificate authority (CA) public key. Atblock 430,method 400 verifies the digital signature of the client public key using the certificate authority public key. Atblock 440,method 400 verifies the client subject name using the client public key. -
FIG. 5 illustrates a diagrammatic representation of a machine in the example form of acomputer system 500 within which a set of instructions, for causing the machine to perform any one or more of the methodologies discussed herein, may be executed. In alternative embodiments, the machine may be connected (e.g., networked) to other machines in a local area network (LAN), an intranet, an extranet, or the Internet. The machine may operate in the capacity of a server or a client machine in a client-server network environment, or as a peer machine in a peer-to-peer (or distributed) network environment. The machine may be a personal computer (PC), a tablet PC, a set-top box (STB), a Personal Digital Assistant (PDA), a cellular telephone, a web appliance, a server, a network router, a switch or bridge, a hub, an access point, a network access control device, or any machine capable of executing a set of instructions (sequential or otherwise) that specify actions to be taken by that machine. Further, while only a single machine is illustrated, the term “machine” shall also be taken to include any collection of machines that individually or jointly execute a set (or multiple sets) of instructions to perform any one or more of the methodologies discussed herein. In one embodiment,computer system 500 may be representative of a server, such as networkaccess control device 120, as shown inFIGS. 1 and 2 . - The
exemplary computer system 500 includes aprocessing device 502, a main memory 504 (e.g., read-only memory (ROM), flash memory, dynamic random access memory (DRAM), a static memory 506 (e.g., flash memory, static random access memory (SRAM), etc.), and a data storage device 518, which communicate with each other via abus 530. Any of the signals provided over various buses described herein may be time multiplexed with other signals and provided over one or more common buses. Additionally, the interconnection between circuit components or blocks may be shown as buses or as single signal lines. Each of the buses may alternatively be one or more single signal lines and each of the single signal lines may alternatively be buses. -
Processing device 502 represents one or more general-purpose processing devices such as a microprocessor, central processing unit, or the like. More particularly, the processing device may be complex instruction set computing (CISC) microprocessor, reduced instruction set computer (RISC) microprocessor, very long instruction word (VLIW) microprocessor, or processor implementing other instruction sets, or processors implementing a combination of instruction sets.Processing device 502 may also be one or more special-purpose processing devices such as an application specific integrated circuit (ASIC), a field programmable gate array (FPGA), a digital signal processor (DSP), network processor, or the like. Theprocessing device 502 is configured to execute processing logic 526, which includesNAC controller 125 as shown inFIG. 2 , for performing the operations and steps discussed herein. - The data storage device 518 may include a machine-
readable storage medium 528, on which is stored one or more set of instructions 522 (e.g., software) embodying any one or more of the methodologies of functions described herein, including instructions to cause theprocessing device 502 to executeNAC controller 125. Theinstructions 522 may also reside, completely or at least partially, within themain memory 504 and/or within theprocessing device 502 during execution thereof by thecomputer system 500; themain memory 504 and theprocessing device 502 also constituting machine-readable storage media. Theinstructions 522 may further be transmitted or received over a network 520 via thenetwork interface device 508. - The machine-
readable storage medium 528 may also be used to store instructions to perform a method for client certificate authentication, as described herein. While the machine-readable storage medium 528 is shown in an exemplary embodiment to be a single medium, the term “machine-readable storage medium” should be taken to include a single medium or multiple media (e.g., a centralized or distributed database, and/or associated caches and servers) that store the one or more sets of instructions. A machine-readable medium includes any mechanism for storing information in a form (e.g., software, processing application) readable by a machine (e.g., a computer). The machine-readable medium may include, but is not limited to, magnetic storage medium (e.g., floppy diskette); optical storage medium (e.g., CD-ROM); magneto-optical storage medium; read-only memory (ROM); random-access memory (RAM); erasable programmable memory (e.g., EPROM and EEPROM); flash memory; or another type of medium suitable for storing electronic instructions. - The preceding description sets forth numerous specific details such as examples of specific systems, components, methods, and so forth, in order to provide a good understanding of several embodiments of the present disclosure. It will be apparent to one skilled in the art, however, that at least some embodiments of the present disclosure may be practiced without these specific details. In other instances, well-known components or methods are not described in detail or are presented in simple block diagram format in order to avoid unnecessarily obscuring the present disclosure. Thus, the specific details set forth are merely exemplary. Particular embodiments may vary from these exemplary details and still be contemplated to be within the scope of the present disclosure.
- Reference throughout this specification to “one embodiment” or “an embodiment” means that a particular feature, structure, or characteristic described in connection with the embodiments included in at least one embodiment. Thus, the appearances of the phrase “in one embodiment” or “in an embodiment” in various places throughout this specification are not necessarily all referring to the same embodiment. In addition, the term “or” is intended to mean an inclusive “or” rather than an exclusive or.
- Additionally, some embodiments may be practiced in distributed computing environments where the machine-readable medium is stored on and or executed by more than one computer system. In addition, the information transferred between computer systems may either be pulled or pushed across the communication medium connecting the computer systems.
- Embodiments of the claimed subject matter include, but are not limited to, various operations described herein. These operations may be performed by hardware components, software, firmware, or a combination thereof.
- Although the operations of the methods herein are shown and described in a particular order, the order of the operations of each method may be altered so that certain operations may be performed in an inverse order or so that certain operation may be performed, at least in part, concurrently with other operations. In another embodiment, instructions or sub-operations of distinct operations may be in an intermittent and/or alternating manner.
- The above description of illustrated implementations of the invention, including what is described in the Abstract, is not intended to be exhaustive or to limit the invention to the precise forms disclosed. While specific implementations of, and examples for, the invention are described herein for illustrative purposes, various equivalent modifications are possible within the scope of the invention, as those skilled in the relevant art will recognize. The words “example” or “exemplary” are used herein to mean serving as an example, instance, or illustration. Any aspect or design described herein as “example” or “exemplary” is not necessarily to be construed as preferred or advantageous over other aspects or designs. Rather, use of the words “example” or “exemplary” is intended to present concepts in a concrete fashion. As used in this application, the term “or” is intended to mean an inclusive “or” rather than an exclusive “or”. That is, unless specified otherwise, or clear from context, “X includes A or B” is intended to mean any of the natural inclusive permutations. That is, if X includes A; X includes B; or X includes both A and B, then “X includes A or B” is satisfied under any of the foregoing instances. In addition, the articles “a” and “an” as used in this application and the appended claims should generally be construed to mean “one or more” unless specified otherwise or clear from context to be directed to a singular form. Moreover, use of the term “an embodiment” or “one embodiment” or “an implementation” or “one implementation” throughout is not intended to mean the same embodiment or implementation unless described as such. Furthermore, the terms “first,” “second,” “third,” “fourth,” etc. as used herein are meant as labels to distinguish among different elements and may not necessarily have an ordinal meaning according to their numerical designation.
Claims (20)
Priority Applications (1)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US17/870,244 US20230009167A1 (en) | 2016-12-19 | 2022-07-21 | Post-connection client certificate authentication |
Applications Claiming Priority (3)
Application Number | Priority Date | Filing Date | Title |
---|---|---|---|
US15/383,230 US10530764B2 (en) | 2016-12-19 | 2016-12-19 | Post-connection client certificate authentication |
US16/710,822 US11405378B2 (en) | 2016-12-19 | 2019-12-11 | Post-connection client certificate authentication |
US17/870,244 US20230009167A1 (en) | 2016-12-19 | 2022-07-21 | Post-connection client certificate authentication |
Related Parent Applications (1)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US16/710,822 Continuation US11405378B2 (en) | 2016-12-19 | 2019-12-11 | Post-connection client certificate authentication |
Publications (1)
Publication Number | Publication Date |
---|---|
US20230009167A1 true US20230009167A1 (en) | 2023-01-12 |
Family
ID=60703163
Family Applications (3)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/383,230 Active 2037-09-01 US10530764B2 (en) | 2016-12-19 | 2016-12-19 | Post-connection client certificate authentication |
US16/710,822 Active US11405378B2 (en) | 2016-12-19 | 2019-12-11 | Post-connection client certificate authentication |
US17/870,244 Pending US20230009167A1 (en) | 2016-12-19 | 2022-07-21 | Post-connection client certificate authentication |
Family Applications Before (2)
Application Number | Title | Priority Date | Filing Date |
---|---|---|---|
US15/383,230 Active 2037-09-01 US10530764B2 (en) | 2016-12-19 | 2016-12-19 | Post-connection client certificate authentication |
US16/710,822 Active US11405378B2 (en) | 2016-12-19 | 2019-12-11 | Post-connection client certificate authentication |
Country Status (2)
Country | Link |
---|---|
US (3) | US10530764B2 (en) |
WO (1) | WO2018118365A1 (en) |
Families Citing this family (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
CN109561025B (en) * | 2017-09-27 | 2022-04-05 | 华为技术有限公司 | Information processing method and related equipment |
US10848478B2 (en) * | 2018-02-21 | 2020-11-24 | JumpCloud, Inc. | Secure endpoint authentication credential control |
CN109361695B (en) * | 2018-11-28 | 2021-11-19 | 深圳市万网博通科技有限公司 | Method and device for authorizing network access, computer equipment and storage medium |
US11206243B2 (en) * | 2019-03-04 | 2021-12-21 | Cyxtera Cybersecurity, Inc. | Multiple gateway controllers to establish network access |
CN112242914B (en) * | 2019-07-18 | 2023-10-03 | 华为技术有限公司 | Network abnormal root cause positioning method, device and system and computer storage medium |
US11438375B2 (en) * | 2020-06-02 | 2022-09-06 | Saudi Arabian Oil Company | Method and system for preventing medium access control (MAC) spoofing attacks in a communication network |
CN112511569B (en) * | 2021-02-07 | 2021-05-11 | 杭州筋斗腾云科技有限公司 | Method and system for processing network resource access request and computer equipment |
US11575679B2 (en) * | 2021-02-16 | 2023-02-07 | Bank Of America Corporation | Agentless access control system for dynamic calibration of software permissions |
Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060274774A1 (en) * | 2005-06-07 | 2006-12-07 | Extreme Networks, Inc. | Methods, systems, and computer program products for dynamic network access device port and user device configuration for implementing device-based and user-based policies |
EP1841174A1 (en) * | 2006-03-31 | 2007-10-03 | Novell, Inc. | Methods and systems for multifactor authentication |
US20090158302A1 (en) * | 2007-12-13 | 2009-06-18 | Fiberlink Communications Corporation | Api translation for network access control (nac) agent |
US20110002341A1 (en) * | 2008-03-14 | 2011-01-06 | Ayodele Damola | Method and apparatus for remote access to a local network |
US8990891B1 (en) * | 2011-04-19 | 2015-03-24 | Pulse Secure, Llc | Provisioning layer two network access for mobile devices |
US20170185793A1 (en) * | 2015-12-27 | 2017-06-29 | Avanan Inc. | Cloud security platform |
US9723019B1 (en) * | 2012-12-28 | 2017-08-01 | Pulse Secure, Llc | Infected endpoint containment using aggregated security status information |
US20170295168A1 (en) * | 2016-04-11 | 2017-10-12 | Huawei Technologies Co., Ltd | Activation of mobile devices in enterprise mobile management |
Family Cites Families (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US7810138B2 (en) * | 2005-01-26 | 2010-10-05 | Mcafee, Inc. | Enabling dynamic authentication with different protocols on the same port for a switch |
US8520512B2 (en) * | 2005-01-26 | 2013-08-27 | Mcafee, Inc. | Network appliance for customizable quarantining of a node on a network |
US7574202B1 (en) * | 2006-07-21 | 2009-08-11 | Airsurf Wireless Inc. | System and methods for a secure and segregated computer network |
US8723958B2 (en) | 2008-04-30 | 2014-05-13 | Konica Minolta Opto, Inc. | Image pickup apparatus and image pickup element |
US8127350B2 (en) * | 2010-06-30 | 2012-02-28 | Juniper Networks, Inc. | Multi-service VPN network client for mobile device |
US9178883B2 (en) | 2012-12-12 | 2015-11-03 | SocialSign.in, Inc. | Leveraging online identities to grant access to private networks |
US9621540B2 (en) * | 2012-12-21 | 2017-04-11 | Intel Corporation | Secure provisioning of computing devices for enterprise connectivity |
US20180131525A1 (en) * | 2016-11-07 | 2018-05-10 | International Business Machines Corporation | Establishing a secure connection across secured environments |
-
2016
- 2016-12-19 US US15/383,230 patent/US10530764B2/en active Active
-
2017
- 2017-11-29 WO PCT/US2017/063793 patent/WO2018118365A1/en active Application Filing
-
2019
- 2019-12-11 US US16/710,822 patent/US11405378B2/en active Active
-
2022
- 2022-07-21 US US17/870,244 patent/US20230009167A1/en active Pending
Patent Citations (8)
Publication number | Priority date | Publication date | Assignee | Title |
---|---|---|---|---|
US20060274774A1 (en) * | 2005-06-07 | 2006-12-07 | Extreme Networks, Inc. | Methods, systems, and computer program products for dynamic network access device port and user device configuration for implementing device-based and user-based policies |
EP1841174A1 (en) * | 2006-03-31 | 2007-10-03 | Novell, Inc. | Methods and systems for multifactor authentication |
US20090158302A1 (en) * | 2007-12-13 | 2009-06-18 | Fiberlink Communications Corporation | Api translation for network access control (nac) agent |
US20110002341A1 (en) * | 2008-03-14 | 2011-01-06 | Ayodele Damola | Method and apparatus for remote access to a local network |
US8990891B1 (en) * | 2011-04-19 | 2015-03-24 | Pulse Secure, Llc | Provisioning layer two network access for mobile devices |
US9723019B1 (en) * | 2012-12-28 | 2017-08-01 | Pulse Secure, Llc | Infected endpoint containment using aggregated security status information |
US20170185793A1 (en) * | 2015-12-27 | 2017-06-29 | Avanan Inc. | Cloud security platform |
US20170295168A1 (en) * | 2016-04-11 | 2017-10-12 | Huawei Technologies Co., Ltd | Activation of mobile devices in enterprise mobile management |
Also Published As
Publication number | Publication date |
---|---|
US20200120085A1 (en) | 2020-04-16 |
WO2018118365A1 (en) | 2018-06-28 |
US11405378B2 (en) | 2022-08-02 |
US20180176210A1 (en) | 2018-06-21 |
US10530764B2 (en) | 2020-01-07 |
Similar Documents
Publication | Publication Date | Title |
---|---|---|
US11405378B2 (en) | Post-connection client certificate authentication | |
US11245687B2 (en) | Hardware-based device authentication | |
US10083290B2 (en) | Hardware-based device authentication | |
US10757094B2 (en) | Trusted container | |
US11190493B2 (en) | Concealing internal applications that are accessed over a network | |
US9774452B2 (en) | System and method for enabling unconfigured devices to join an autonomic network in a secure manner | |
US9729514B2 (en) | Method and system of a secure access gateway | |
US20170063927A1 (en) | User-Aware Datacenter Security Policies | |
US9548982B1 (en) | Secure controlled access to authentication servers | |
US20220329585A1 (en) | Utilizing endpoint security posture, identification, and remote attestation for restricting private application access | |
US20240223534A1 (en) | Stateless cloud authentication for security services | |
US20240064138A1 (en) | Intelligent secure user access to private resources | |
US20240064147A1 (en) | Granular secure user access to private resources | |
Nikolov | Corporate Network: Security Aspects |
Legal Events
Date | Code | Title | Description |
---|---|---|---|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: ADVISORY ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: DOCKETED NEW CASE - READY FOR EXAMINATION |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: NON FINAL ACTION MAILED |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: RESPONSE TO NON-FINAL OFFICE ACTION ENTERED AND FORWARDED TO EXAMINER |
|
STPP | Information on status: patent application and granting procedure in general |
Free format text: FINAL REJECTION MAILED |