公开(公告)号：US20070234402A1

公开(公告)日：2007-10-04

申请号：US11395504

申请日：2006-03-31

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： H04L9/32

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US20070006309A1

公开(公告)日：2007-01-04

申请号：US11171593

申请日：2005-06-29

申请人： Howard Herbert ,  Karanvir Grewal

发明人： Howard Herbert ,  Karanvir Grewal

IPC分类号： G06F12/14

CPC分类号： H04L63/20 ,  H04L63/105 ,  H04L63/1408

摘要： Embodiments of the inventions are generally directed to methods, apparatuses, and systems for the dynamic evaluation and delegation of network access control. In an embodiment, a platform includes a switch to control a network connection and an endpoint enforcement engine coupled with the switch. The endpoint enforcement engine may be capable of dynamically switching among a number of network access control modes responsive to an instruction received from the network connection.

摘要翻译： 本发明的实施例一般涉及用于动态评估和授权网络访问控制的方法，装置和系统。 在一个实施例中，平台包括用于控制网络连接的开关和与开关耦合的端点执行引擎。 端点执行引擎可以响应于从网络连接接收的指令而能够在多个网络访问控制模式之间动态切换。

公开(公告)号：US20070005992A1

公开(公告)日：2007-01-04

申请号：US11173851

申请日：2005-06-30

申请人： Travis Schluessler ,  David Durham ,  George Cox ,  Karanvir Grewal

发明人： Travis Schluessler ,  David Durham ,  George Cox ,  Karanvir Grewal

IPC分类号： H04L9/00 ,  G06F12/14 ,  H04L9/32 ,  G06F11/30

CPC分类号： G06F21/54 ,  H04L9/004 ,  H04L9/3236 ,  H04L63/123 ,  H04L63/126 ,  H04L63/20 ,  H04L2209/60

摘要： A measurement engine performs active platform observation. A program includes an integrity manifest to indicate an integrity check value for a section of the program's source code. The measurement engine computes a comparison value on the program's image in memory and determines if the comparison value matches the expected integrity check value. If the values do not match, the program's image is determined to be modified, and appropriate remedial action can be triggered. The integrity manifest can include a secure signature to verify the validity of the integrity manifest.

摘要翻译： 测量引擎执行主动平台观察。 程序包括一个完整性清单，用于指示程序源代码的一部分的完整性检查值。 测量引擎计算内存中程序映像的比较值，并确定比较值是否与预期的完整性校验值相匹配。 如果值不匹配，则确定程序的图像被修改，并且可以触发适当的补救动作。 完整性清单可以包括安全签名以验证完整性清单的有效性。