724 results about "Network Access Control" patented technology

An apparatus, system, and method for managing dynamic network access control. The invention provides services and controlled network access that includes quarantining nodes so that they may be identified, audited, and provided an opportunity to be brought into compliance with a security policy. The invention is configured to detect a device seeking to join the network, and determine if the device is allowed to join the network. If the invention determines that the device is not to be allowed, the device may be quarantined using a VLAN. The suspect device may then be audited for vulnerabilities. If vulnerabilities are identified, remediation may be employed to guide the suspect device, a user, and/or administrator of the suspect device towards a resolution of the vulnerabilities, such that the device may be reconfigured for acceptance onto the network.

The present invention provides a technique for securely implementing port-based authentication on a shared media port in an intermediate node, such as a router. To that end, the invention provides enhanced port-based network access control that includes client-based control at the shared media port. Unlike previous implementations, the port does not permit multiple client nodes to access a trusted subnetwork as soon as a user at any one of those nodes is authenticated by the subnetwork. Instead, port-based authentication is performed for every client node that attempts to access the trusted subnetwork through the shared media port. As such, access to the trusted subnetwork is not compromised by unauthenticated client nodes that “piggy-back” over the shared media port after a user at another client node has been authenticated by the trusted subnetwork.

A method, system, computer program product, and devices for enterprise network access control and management for Government and Corporate entities, including interagency identity management; connectors and controls; an interagency directory services transformation service; a user/duty position resolving service; role-based encryption key management; role-based business process modeling; and proximity-based access control enabled by user-role-track association.

In a wireless communication network having a plurality of devices operating at different data rates that contend for access to the network, a method is provided that assigns network access parameters to one or more of the devices so as to control throughput on the network. Examples of network access control parameters are the maximum data packet size and the contention window size. Generally, the network access control parameter for slower data rate users is configured so that they do not occupy the network a disproportionate amount of time compared to faster data rate users.

Embodiments of the present invention include a computer method of controlling access to a computer-based network comprising: (i) receiving an indication of an attempt to gain access to a computer-based network; (ii) applying a respective network access control policy to determine whether to allow the attempt to gain access to the computer-based network at each of multiple security layers; and (iii) allowing or blocking the attempt to gain access through the security layer to the computer-based network based on the application of the respective network access control policy at each security layer. Other embodiments include a computer method of controlling access to a computer-based network comprising: (a) scanning a host computer for viruses; (b) temporarily disabling a firewall of the host computer during an audit; and (c) shutting down high risk services running on the host computer.

Methods (400, 500) and systems (100, 600) for interactively controlling access to a communication network (102) are disclosed. In one embodiment, a user is queried (600) on whether to allow a communication device (118) to access the network (102) and the communication device (118) is allowed access if the user actively gives permission (506). In one embodiment, the methods and systems of this invention allow interactive Media Access Control MAC address filtering of communication devices (118) attempting to access the network (102), for example wireless communication devices.

Systems and methods for group-based network access control systems are provided. The group-based network access control system includes a software process operating on a computer. The software process is configured to communicate a packet through a group-based network protocol stack to a network interface card that includes an interface attribute. A table of network attributes, associated with a session filter module and a network filter module, compares the network endpoint attribute with the interface attribute in the table of network attributes to determine whether the software process can access the network interface card. Each network endpoint attribute comprises a primary group identifier and a supplemental group identifier list, and each interface attribute comprises a network group list. The method includes the steps of operating a software process that includes a network endpoint attribute. Next, packets are communicated through a network protocol stack to a network interface card, where the network interface card includes an interface attribute. Association between the network endpoint attribute and the interface attribute is established, and both the network endpoint attribute and the interface attribute are placed in a table. The network endpoint attribute is then compared with the interface attribute to determine whether the software process can access the network interface card. Each network endpoint attribute comprises a primary group identifier and a supplemental group identifier list, and each interface attribute comprises a network group list.

The invention provides a network access control method and system based on IP access behaviors. The method includes: after a Web request sent by a client is acquired through a router, the Web request is sent to a behavior analyzing server; data in the Web request are extracted by the behavior analyzing server and a corresponding user IP and a behavior record of the user IP are generated and whether the Web request is a normal request is judged according to the behavior record; if the Web request is a normal request, then the Web request is forwarded to a corresponding service server and if not, then a response refusing the Web request is sent to the client so that access control on unknown IPs can be carried out dynamically and problems such as low efficiency, tedious configuration and poor dynamic instantaneity and the like in traditional IP access control are solved. At the same time, the network access control method and system also aim at restraining network attacks, regulating crawler behaviors, improving website or API service qualities and enhancing website stability and usability.

According to one embodiment of the present invention, there is provided a method of authorizing a communication device to connect to a network. The method comprises receiving, at a processor, a communication device identifier and a subscriber identifier, determining, by the processor, whether the received communication device identifier is associated with the received subscriber identifier in a data store. Where it is determined that the received identifiers are not so associated the method further comprise requesting, by the processor, a security token associated with the communication device, receiving, at the processor, a security token, determining, by the processor, whether the received security token matches a stored security token associated with the received communication device identifier in the data store, and where it is so determined, authorizing the communication device to connect to the network.

A policy normalizing means normalizes an entered security policy. Specifically, if the security policy does not include necessary items, the policy normalizing means compensates the security policy for the missing items by predefined values so that the security policy includes the necessary items. An behavior model generating means generates an behavior model representative of the operation of a network access controller based on the normalized security policy. In this event, the behavior model generating means generates an behavior model which is represented by a data structure that is not dependent on the type of the network access controller. A modifying means modifies the behavior model in accordance with a modification principle desired by an operator, and a configuration generating means generates configuration for the network access controller from the modified behavior model.

Controlling access to a protected network is disclosed. In some embodiments, one or more events that occur will a host is disconnected from the protected network are logged. The log is provided to one or more devices associated with the protected network when the host requests access to the protected network after a period in which it was not connected. In some embodiments, a network access control or other device or process uses the log to determine whether and/or an extent to which the host should be permitted to connect to the network.

In a dispersed storage network access control list information must be occasionally written out to system units across the network. A dispersed storage (DS) managing unit (18) combines (204) the access control list information with a clock stamp and hashes (206) that combined output. An encryptor (208) encrypts a security key (210) and the hash output to obtain a signature. A combiner (212) combines the signature and the output of combiner (204) and outputs to a publisher (214). Upon receipt of the output of the publisher (214) a dispersed storage unit (44) can reverse process and securely validate the access control list information provided by the publisher (214) to receive and store updated and valid access control list information. This processing is performed by the unit (44) using parsers (216), caches (218 and 228), hash operations (224), decryptors (222), comparators (226), logic (230), and key stores (220).

Administration of access to computer resources on a network including receiving in a network access control module on a network, from a device communicatively coupled to the network, a request for access to resources on the network, the request including computer data representing an identity of the device, an identity of a current user of the device, and a current configuration of the device; and granting, by the network access control module to the device, access to resources on the network in dependence upon the identity of the device, the identity of the current user, the current configuration of the device, and a configuration of the device authorized for the current user.

A method and apparatus that provide network access control are disclosed. In one embodiment, a network device is configured to intercept network traffic initiated from a client and directed toward a network resource, and to locally authenticate the client. Authentication is carried out by comparing information identifying the client to authentication information stored in the network device. In one embodiment, an authentication cache in the network device stores the authentication information. If the client identifying information is authenticated successfully against the stored authentication information, the network device is dynamically re-configured to allow network traffic initiated by the client to reach the network resource. If local authentication fails, new stored authentication is created for the client, and the network device attempts to authenticate the client using a remote authentication server. If remote authentication is successful, the local authentication information is updated so that subsequent requests can authenticate locally. As a result, a client may be authenticated locally at a router or similar device, reducing network traffic to the authentication server.

A satellite communications system (10) includes a hub (14), a satellite (32), and any number of remote terminals (16). Each remote terminal (16) includes a remote receiver (38), a monitor (40), and a network access controller (42). Each remote receiver (38) is configured to receive and down convert the system's entire spectrum of interest from which channels are accessed by the remote terminals (16). The monitors (40) independently perform FFT processes over this entire spectrum, but at a low frequency resolution which is no higher than needed to distinguish channels. Based on these spectral analyses, uplink/inbound channels are independently selected by the network access controllers (42) at each remote terminal (16). Remote terminals (16) immediately transmit data to the hub (14) as soon as they select an uplink/inbound channel.

A system and method for regulating and analyzing inbound and outbound communications in and between computer networks on the basis of geographic security assertions are provided. Geographic information is collected, optimized, and shared between network objects to enforce network access control on the basis of configurable security assertions. Security assertions are configured and metrics displayed using maps and other geographic data in a graphical user interface.

The invention discloses a system and a method for managing security of a general network, and mainly overcomes the defects of poor openness and expansibility and weak functional completeness existing in the prior network security management system. The system mainly comprises peripheral equipment, a security agent terminal, a security management center and terminal management equipment, wherein the security management center applies security technology of network access control, intrusion detection, virus detection and vulnerability management to the security agent terminal through an interface component, a data base module and a user interface component; and under the unified management and control, all security technology is mutually complemented and matched to detect and control network behaviors, so that a distributed security protection system structure in which security strategies are under central management and the security detection is separately distributed is formed. The system and the method have the advantages of flexible configuration, easy expansion, good openness, support of the different level management, and suitability for the security management and protection of the computer network in governments, colleges and universities, and large- and medium-sized enterprises.

In a dispersed storage network where slices of secure user data are stored on geographically separated storage units (44), a managing unit (18) connected to the network (20) may seek to broadcast and update secure access control list information across the network (20). Upon a target device (e.g., devices 12, 14, 16, 18, or 44) receiving the broadcast the target device creates and sends an access control list change notification message to all other system devices that should have received the same broadcast if the broadcast is a valid request to update access control list information. The target device waits for responses from the other system devices to validate that the broadcast has been properly sent to a threshold number of other system devices before taking action to operationally change local data in accordance with the broadcast.

A method and a system for interworking with a Broadband Wireless Access (BWA) network in a Wireless Local Area Network (WLAN) terminal. According to the method, a relay station for connecting the Wireless Local Area Network (WLAN) terminal with the Broadband Wireless Access (BWA) network sets a connection with the Broadband Wireless Access (BWA) network through an initialization process. A user authentication with the Wireless Local Area Network (WLAN) terminal is performed by the relay station in compliance with a Wireless Local Area Network (WLAN) protocol. A user authentication with a Broadband Wireless Access (BWA) network Access Control Router (ACR) is performed in compliance with a Broadband Wireless Access (BWA) network protocol by the relay station in place of the Wireless Local Area Network (WLAN) terminal.

Disclosed are methods, devices, and media for enforcing network access control, the method including the steps of: extracting a packet signature from a packet (or packet fragment) received from a network; storing the packet signature and the packet in a buffer; computing a buffer signature using a per-endpoint secret key; determining whether the packet signature and the buffer signature are identical; and upon determining the packet signature and the buffer signature are identical, transmitting the packet to a protocol stack. Preferably, the step of extracting includes extracting the packet signature from a field (e.g. identification field) of a header of the packet. Preferably, the method further includes the step of: upon determining the packet signature and the buffer signature are not identical, discarding the packet. Methods for receiving a packet from a protocol stack, and transmitting the packet to a network are disclosed as well.

The invention relates to communication field, and discloses a network access control method and a device thereof. The network access control method comprises the following steps: acquiring a user identity in a network access request that is received by an access gateway; inquiring a prestored access control table according to the user identity and determining whether the user is a controlled user; if the user is the controlled user, acquiring the network access information of the controlled user; inquiring the access control table according to the network access information, determining whether the network access request exceeds a network access allowed range of the controlled user; if the network access request exceeds the network access allowed range of the controlled user, inquiring the access control table for acquiring a processing strategy to the network access request; and determining a network access control instruction according to the processing strategy, and transmitting the network access control instruction to the access gateway so that the access gateway performs processing to the network access request according to the network access control instruction. The network access control method according to the technical solution of the invention causes controlling for network access of the user more comprehensive, more flexible and more effective.

A network access control system comprises a reception unit receiving an authentication request message containing an authentication request of use of a secondary access network, the authentication request message is sent from a terminal that can use a core network by using a plurality of different types of access networks including a primary access network and the secondary access network, and arriving at the core network via the primary access network; an authentication unit performing authentication processing in response to the authentication request of the use of the secondary access network; and a transmission unit transmitting an authentication response message about the secondary access network that arrives at the terminal via the primary access network.