公开(公告)号：US08555348B2

公开(公告)日：2013-10-08

申请号：US12714979

申请日：2010-03-01

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： G06F17/30

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US20080022388A1

公开(公告)日：2008-01-24

申请号：US11478986

申请日：2006-06-30

申请人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

发明人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

IPC分类号： G06F15/16

CPC分类号： H04L63/105

摘要： A method and apparatus to define multiple zones in a data packet for inclusion in processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations to which the zone is subjected. In another embodiment, the list of security operations for a zone includes parameters to be passed when performing the security operations on the zone.

摘要翻译： 一种在数据分组中定义多个区域以包括在安全协议的安全操作的处理中的方法和装置。 在一个实施例中，每个定义的区域具有该区域经受的安全操作的关联列表。 在另一个实施例中，区域的安全操作的列表包括在区域上执行安全操作时要传递的参数。

公开(公告)号：US20100162356A1

公开(公告)日：2010-06-24

申请号：US12714979

申请日：2010-03-01

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： G06F17/30

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US07703126B2

公开(公告)日：2010-04-20

申请号：US11395504

申请日：2006-03-31

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： G06F17/30

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US20080002724A1

公开(公告)日：2008-01-03

申请号：US11479157

申请日：2006-06-30

申请人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

发明人： Karanvir Grewal ,  David Durham ,  Hormuzd Khosravi ,  Men Long ,  Prashant Dewan

IPC分类号： H04L12/56

CPC分类号： H04L63/0428 ,  H04L63/104 ,  H04L63/164 ,  H04L69/22

摘要： A method and apparatus to define multiple zones in a data packet for exclusion from processing by security operations of a security protocol. In one embodiment, each defined zone has an associated list of security operations from which the zone is protected.

摘要翻译： 一种在数据分组中定义多个区域以便通过安全协议的安全操作排除在处理之外的方法和装置。 在一个实施例中，每个定义的区域具有相关的安全操作列表，从该区域被保护。

公开(公告)号：US20070234402A1

公开(公告)日：2007-10-04

申请号：US11395504

申请日：2006-03-31

申请人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

发明人： Hormuzd Khosravi ,  David Durham ,  Karanvir Grewal

IPC分类号： H04L9/32

CPC分类号： H04L63/0227

摘要： A method that includes initiating a network access request from an access requester on a platform that couples to a network, the network access request made to a policy decision point for the network. The method also includes establishing a secure communication channel over a communication link between the policy decision point and a policy enforcement point on the platform. Another secure communication channel is established over another communication link. The other communication link is between at least the policy enforcement point and a manageability engine resident on the platform. The manageability engine forwards posture information associated with the access requester via the other secure communication channel. The posture information is then forwarded to the policy decision point via the secure communication channel between the policy enforcement point and the policy decision point. The policy decision point indicates what access the access requester can obtain to the network based on a comparison of the posture information to one or more network administrative policies.

摘要翻译： 一种方法，其包括从耦合到网络的平台上的访问请求者发起网络访问请求，所述网络访问请求发送到网络的策略决策点。 该方法还包括在策略决策点和平台上的策略执行点之间的通信链路上建立安全通信信道。 通过另一个通信链路建立另一个安全通信信道。 另一个通信链路至少在平台上驻留的策略执行点和可管理引擎之间。 可管理性引擎经由另一个安全通信信道转发与访问请求者相关联的姿势信息。 然后，姿势信息经由策略执行点和策略决策点之间的安全通信信道被转发到策略决策点。 策略决策点基于姿势信息与一个或多个网络管理策略的比较来指示访问请求者可以获得哪些访问到网络。

公开(公告)号：US20080082680A1

公开(公告)日：2008-04-03

申请号：US11540352

申请日：2006-09-29

申请人： Karanvir Grewal ,  Vincent Zimmer ,  Hormuzd Khosravi ,  Alan D. Ross

发明人： Karanvir Grewal ,  Vincent Zimmer ,  Hormuzd Khosravi ,  Alan D. Ross

IPC分类号： G06F15/16

CPC分类号： G06F9/4416 ,  G06F21/575 ,  H04L63/0428 ,  H04L63/12 ,  H04L67/34

摘要： A method of providing a secure download of a boot image to a remote boot environment of a computer system. In one embodiment of the invention, the remote boot environment and a boot image source engage in a boot image exchange through an authentication channel. In another embodiment, data related to the boot image exchange is tunneled in the authentication channel to protect the boot image exchange from security attacks.

摘要翻译： 提供引导映像到计算机系统的远程引导环境的安全下载的方法。 在本发明的一个实施例中，远程引导环境和引导映像源通过认证通道参与引导映像交换。 在另一个实施例中，与引导映像交换有关的数据在认证通道中被隧道传送，以保护启动映像交换免受安全攻击。

公开(公告)号：US07814531B2

公开(公告)日：2010-10-12

申请号：US11478987

申请日：2006-06-30

申请人： Hormuzd Khosravi ,  Karanvir Grewal ,  Ahuva Kroiser ,  Avigdor Eldar

发明人： Hormuzd Khosravi ,  Karanvir Grewal ,  Ahuva Kroiser ,  Avigdor Eldar

IPC分类号： H04L9/00 ,  H04L12/22

CPC分类号： H04L63/102 ,  H04L61/2015 ,  H04L63/0227 ,  H04L63/101 ,  H04L63/12

摘要： A method and apparatus for detection of network environment to aid policy selection for network access control. An embodiment of a method includes receiving a request to connect a device to a network and, if a security policy is received for the connection of the device, applying the policy for the device. If a security policy for the connection of the device is not received, the domain of the device is determined by determining whether the device is in an enterprise domain and determining whether the device is in a network access control domain, which allows selection of an appropriate domain/environment specific policy.

摘要翻译： 一种检测网络环境以帮助网络访问控制的策略选择的方法和装置。 一种方法的实施例包括接收将设备连接到网络的请求，并且如果接收到用于设备的连接的安全策略，则应用所述设备的策略。 如果没有接收到用于连接设备的安全策略，则通过确定设备是否在企业域中并确定设备是否在网络访问控制域中来确定设备的域，这允许选择适当的 域/环境特定策略。

公开(公告)号：US08205238B2

公开(公告)日：2012-06-19

申请号：US11393486

申请日：2006-03-30

申请人： Uri Blumenthal ,  Hormuzd Khosravi ,  Karanvir Grewal

发明人： Uri Blumenthal ,  Hormuzd Khosravi ,  Karanvir Grewal

IPC分类号： H04L29/06

CPC分类号： H04L63/0227 ,  H04L63/101

摘要： Transport agnostic, secure communication protocol for transmitting host platform posture information to the Network Access Control Server or PDP (Policy Decision Point) and for receiving policy information to be enforced on the trusted host platform and respective applications for data processing and communication are described herein.

摘要翻译： 这里描述了用于将主机平台姿势信息发送到网络访问控制服务器或PDP（策略决策点）并且用于接收在可信主机平台上执行的策略信息和用于数据处理和通信的相应应用的传输不可知的安全通信协议。

公开(公告)号：US20070240197A1

公开(公告)日：2007-10-11

申请号：US11393486

申请日：2006-03-30

申请人： Uri Blumenthal ,  Hormuzd Khosravi ,  Karanvir Grewal

发明人： Uri Blumenthal ,  Hormuzd Khosravi ,  Karanvir Grewal

IPC分类号： H04L9/00

CPC分类号： H04L63/0227 ,  H04L63/101

摘要： Transport agnostic, secure communication protocol for transmitting host platform posture information to the Network Access Control Server or PDP (Policy Decision Point) and for receiving policy information to be enforced on the trusted host platform and respective applications for data processing and communication are described herein.

摘要翻译： 这里描述了用于将主机平台姿势信息发送到网络访问控制服务器或PDP（策略决策点）并且用于接收在可信主机平台上执行的策略信息和用于数据处理和通信的相应应用的传输不可知的安全通信协议。