`
`
`as) United States
`
`
`
`
`
`
`
`
`
`a2) Patent Application Publication 10) Pub. No.: US 2014/0068030 Al
`
`
`
`
`
`
`
`(43) Pub. Date: Mar.6, 2014
`
`Chamberset al.
`
`
`US 20140068030A1
`
`
`
`
`
`
`
`(54) METHOD FOR AUTOMATICALLY APPLYING
`ACCESS CONTROL POLICIES BASED ON
`
`
`
`
`
`
`
`DEVICE TYPES OF NETWORKED
`
`
`COMPUTING DEVICES
`
`
`
`
`
`(71)
`
`(72)
`
`
`
`
`
`
`
`Applicants: Benjamin A. Chambers, San Francisco,
`
`
`
`
`
`
`CA (US); John Bicket, San Francisco,
`
`
`CA (US)
`
`
`
`
`
`
`
`Inventors: Benjamin A. Chambers, San Francisco,
`
`
`
`
`
`
`CA (US); John Bicket, San Francisco,
`
`
`CA (US)
`
`
`
`(21)
`
`
`
`
`
`Appl. No.: 14/011,519
`
`
`
`(22)
`
`
`
`Filed:
`
`
`
`
`
`
`Aug. 27, 2013
`
`
`
`
`
`
`
`
`
`Related U.S. Application Data
`
`
`
`
`
`Provisional application No. 61/696,000, filed on Aug.
`
`
`31, 2012.
`
`
`
`
`
`(60)
`
`Publication Classification
`
`
`
`
`(51)
`
`
`
`
`
`(2006.01)
`
`
`
`
`
`
`
`
`Int. Cl.
`
`HOAL 12/24
`
`
`
`(52) U.S.CL
`
`
`
`
`CPC veccssssssssssssssssseeeeseeeeee HOAL 41/0803 (2013.01)
`USPC.
`ceesssssssessecsesssssssssssssssssieeessessesseessessen 709/220
`
`
`
`
`(57)
`ABSTRACT
`
`
`
`
`
`
`
`Techniques
`for managing access control policies are
`
`
`
`
`
`
`
`described herein. According to one embodiment, access con-
`
`
`
`
`
`
`
`
`
`trol policies (ACPs) and access control rules (ACRs) are
`
`
`
`
`
`
`downloaded from a managementserver to a network access
`
`
`
`
`
`
`
`
`
`device (NAD) over the Internet, where the network access
`
`
`
`
`
`
`
`device is one of a plurality of network access devices man-
`
`
`
`
`
`
`
`aged by the managementserver overthe Internet. In response
`
`
`
`
`
`
`
`
`
`to a request from a network client device for entering a net-
`
`
`
`
`
`
`
`work, a device type of the network client device is detected
`
`
`
`
`
`
`
`
`and an ACPidentifier is determined based on the device type
`
`
`
`
`
`
`
`
`
`using the ACRs An ACPis selected from the ACPs based on
`
`
`
`
`
`
`
`
`
`the ACP identifier and enforced against the network client
`
`
`
`
`
`
`
`
`device. At least the selected ACP is reported to the manage-
`
`
`
`
`
`
`
`
`mentserver to distribute the selected ACP to other network
`
`
`access devices.
`
`
`
`Receive access control configuration information (ACPs and ACRs) from a|,601 600
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`managementserver over the Internet and store the same in a network
`
`
`
`access device (NAD).
`
`
`
`In response to request from a network client device (NCD)to connectto a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network, authenticate the NCD (locally or remotely).
`
`
`
`
`
`
`
`
`
`
`
`
`Detect within the NAD a device type of the NCD using one or more
`
`
`
`
`
`
`
`
`detection methods (e.g., DHCP fingerprints, user agent string patterns,
`
`
`
`and/or MAC prefix).
`
`
`
`
`
`
`
`
`
`
`
`
`
`Apply to the NCD an AGP selected from the ACPs based on the device
`
`
`
`
`
`
`type and the access control configuration.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Report the selected ACR/ACP, MAC and device type of the NCD back to
`
`
`
`
`
`
`
`
`
`the management server, where the management serveris to update other
`
`NADs.
`
`602
`
`
`
`603
`
`
`
`604
`
`
`
`605
`
`
`
`Page 1 of 26
`
`Netskope Exhibit 1010
`
`Page 1 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`Mar.6, 2014 Sheet 1 of 13
`
`
`
`US 2014/0068030 A1
`
`
`
`(s)s8AsaS
`
`
`
`alteu|Byuogabeueyw
`
`juswieheueyy
`
`S|npoyy
`
`
`
`
`
`OOLyuaweBeueyyBIT
`
`dov
`(s)uiapyNYMTz
`
`
`SSBIOYYIOMSNadhaoinaq7JayJuogssacoy
`
`
`
`
`
`SOIIABQ]JUS!SPOYFONUOHOBIEN(yopars‘oyYajnod“B's)
`ao1Aeg10}99}9G|a|Npoy
`
`£0ot
`60col
`TOLgqoueo108g
`
`
`iadAyaaiaaqBOASSBO0YWOMION
`
`
`
`
`
`TOL(awsaqu]“Bre)
`
`
`
`POLadk|eainaq
`
`
`
`JanisuoO9}9q
`
`cel
`
`THT
`
`voneoqueuyny
`
`JOAIaS
`
`
`
`Sa01AaqyUal|D
`
`801
`
`Page 2 of 26
`
`Netskope Exhibit 1010
`
`Page 2 of 26
`
`Netskope Exhibit 1010
`
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 2 of 13
`
`
`
`US 2014/0068030 Al
`
`
`
`
`
`I/F
`
` Config
`
`DeviceTypeACRID
`
`
`
`
`
`
`
`
`
`
`FIG.2
`
`
`ACRs 118
`
`
`ACRs/ACPs 117
`
`
`
`
`
`
`
`
`
`DeviceType
`
`Page 3 of 26
`
`Netskope Exhibit 1010
`
`Page 3 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 3 of 13
`
`
`
`US 2014/0068030 Al
`
`ACP
`
`ACP
`
`ACP
`
`
`
`
`ACPs 17
`
`
`ACRs 118
`
`Version
`
`FIG.3
`
`Qa
`
`reaSo
`
`=D
`mam
`
`
`Page 4 of 26
`
`Netskope Exhibit 1010
`
`Page 4 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`
`
`Mar.6, 2014 Sheet 4 of 13
`
`
`
`US 2014/0068030 Al
`
`FIG.4A
`
`400
`
`
`
`Page 5 of 26
`
`Netskope Exhibit 1010
`
`Page 5 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 5 of 13
`
`
`
`US 2014/0068030 Al
`
` Whitelist
`
`
`
`
`
`AccessControlConfigurationInterface-
`
`
`
`FIG.4B
`
`
`
`
`
`Page 6 of 26
`
`Netskope Exhibit 1010
`
`Page 6 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar. 6, 2014 Sheet 6 of 13
`
`OO:T1O/P/DTOT
`
`SOTprAoyod
`
`SO-CO-C0:1-00-06
`
`EBAOH
`
`SOLprAorod
`
`POCONO:10-00-00
`
`
`
`woneadxs
`
`Anypod
`
`ssaippeVA
`HoLwiade
`
`607yOW
`
`
`005
`
`
`
`
`
`US 2014/0068030 A1
`
`S‘Ola
`
`AGAGHL
`
`OTLprdonod
`
`90-20-0100-060
`
`
`
`POCOCO:10-00-00
`
`HOISAIA
`
`Page 7 of 26
`
`Netskope Exhibit 1010
`
`Page 7 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar. 6, 2014 Sheet 7 of 13
`
`
`
`US 2014/0068030 A1
`
`009
`
`
`
`L09
`
`
`
`c09
`
`£09
`
`
`
`vag
`
`
`
`S09
`
`
`
`(GVN)9olAapssac0e
`
`“(xyaudJy1o/pue
`
`‘SQVN
`
`9‘SIA
`
`Page 8 of 26
`
`Netskope Exhibit 1010
`
` Palve|asauWodey "uoNesnByuosBAIeDey
`
`BLOY(SHOWpureSfdy)UONBWUOJUIUOIBINByUOd|oujUASSseooe
`
`
`
`
`JeujoajyepdnoO}sievesjusweBeuewey)QayMUeruesJuswaBeueWay}
`
`
`
`
`
`
`B0}JOBULIODO}(ON)SdIASPJUaT]OYlOmJauBWOJSanbo0}asuodse:Uy
`
`
`
`0}YOBGGON24}JOdA}adinappukeOWN‘dOV/HOV
`
`
`
`SOIASPSY}UOPasegSAdYSY]WOYPa}ae|esYOYUeCONouy0}Alddy
`
`‘susayedBunsjuebeJosn‘sjudiebuydoHq‘“6a)spoujsuuonos}ap
`
`
`
`
`
`
`
`YJOMJSUBULSLRSAL}BJO}SPUB}eU9}U]OU}JBAOJansasyustwabeueW
`
`@10WJOBuOBuisnGONeu}joadAysoiAapBGWNSu}UluJoa}eg
`
`
`(Ajayouas0Ayjeo0])GONeuayeoquauyNe‘yiompou
`
`
`|osju0DsseooeaulpueadA}
`
`
`
`
`
`Page 8 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar. 6, 2014 Sheet 8 of 13
`
`
`
`US 2014/0068030 A1
`
`002
`
`
`
`LOZ
`
`
`
`COL
`
`
`
`“JaMesjuowabeueweul(SYOW
`
`aiO}SPURBAIBIOY
`WUSUBL| ‘SQVN
`‘adA}so1AeppueDy‘B'e)uONeWUOJU!JOUSse00ePUeedIAepaAlgD0y
`
`
`
`
`
`$$9098YOMIAU|]O}UONHBUUOJULUOReINBYUO[OUDSseD0eay}WWSUeL{
`
`
`
`GONJe|noiedyeu}JoUOMPWOJU![OUDSSeD0epUeadIAaPOU}
`
`
`
`pueSOY)UOReUOJU!UONeINBYUOD[OUDSs800R
`
`
`
`AU]JOBUOWOU}(GIN)edIA@PJUSIIOYlomyauJe|noWed@Jo(4OW/MOV
`
`
`
`
`
`‘Janiasjuswebeuewou)Aqpabeuew(SqyN)sedinep
`
`
`
`
`"JAUJO]U]BU}JOAOSQNSululeweasay)0}
`
`COL
`
`
`
`vOL
`
`Z°SlA
`
`Page 9 of 26
`
`Netskope Exhibit 1010
`
`Page 9 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar. 6, 2014 Sheet 9 of 13
`
`
`
`US 2014/0068030 A1
`
`
`
`008
`
`
`
`2088}MO}e0}JaAJasUOOa]EpadA]saiAepBjoweO}JsanbedeILUSUBL|
`
`
`
`
`L08
`B0}JIOUUOD0}(GON)SdIAEpPJUS!]DYlomouBWoyJsanbal0}asuodsasUy
`
`
`
`
`
`
`(AjajouwadJoAj290])CON2u}apeonuayNe‘yomjou
`
`"GONau}Joad}soiAapun199190}JanasO]OWAL
`
`
`
`JUoWABeEUeWe0}OWESOU]/wusuespueJealasuogosjapad}aojaepau}WoyadA]aoinapeuBAj900y||eeeeceeeececeeeceeeeeeeeee|£08
`
`
`
`
`
`
`
`“adA]Sd1Adpau}UOpasegdOW
`
`
`
` PogBY]OJOUM‘CONSU}JO}JaAsesJuowabeueWeLUOGOVAIOYsAIs0ey eciaeieetcaeicertaietantatentedicatentedsatamemtatandaatadener|
`
`JOIUODaigissodAue@A|OSElPUEGON8Ul0}dOW/HOVpaAieoe/au)Alddy
`
`
`
`
`|‘JOMOS
`BU}}098|9SPULGONSy}JOadh]solnepou]SeAl@DelJanesjuowebeuew
`
`
`
`
`
`
`S08
`
`
`
`“dOW/HOVSulJO
`
`8Sls
`
`
`
`
`
`Page 10 of 26
`
`Netskope Exhibit 1010
`
`Page 10 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 10 of 13
`
`
`
`US 2014/0068030 A1
`
`006
`
`
`
`
`
`
`
`
`
`£06
`
`
`
`206QOIASPJUaIOOMJSUeBJoedA}BdlAapeJanesJUaWeBeUeWayy1eaAIgdey
`
`
`
`
`106SIJEU]BdIASPSSB90BYWIOMJOUBO}GOW/HOWPe}og|asaulWwsUeL{
`
`
`
`
`
`106pueSO)UOHeWJOJU!UOeINGYUODjoWUODSs800RasO}SPUBAIBIeY
`ayyJoadA}sainepay]UOpasegdoyueJanesjuaabeuewautje199/95
`
`
`
`
`
`
`
`
`
`
`
`"JOAJSusWabeueWeul(SHOW
`
`‘(CON)
`
`‘CON
`
`"JBUJBJU]OU}JOAOCONSu}UMpayeigosse
`
`6‘Sis
`
`
`
`
`
`Page 11 of 26
`
`Netskope Exhibit 1010
`
`Page 11 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 11 of 13
`
`
`
`US 2014/0068030 A1
`
`
`
`aBIOLseeSLOLJ(s\saynoyJ(s)iainoy
`
`
`
`
`
`(s)gy$8800WOMAN(sa}yoms(slaySsen0yHOMeN(sa}youms
`BZ0TSa01Aeq]S101TOLS8O|A8]Stor
`
`
`
`
`
`(sayN)(sqVvN)
`
`SOOT200
`
`
`
`(sjaoaaq(s)aainaq
`
`60018001
`
`
`
`JUSIIDOMAN
`
`
`
`V0l‘Sls
`
`jeaibo7
`
`juawabeueyy:Qeuseju|“B'a)je01607
`
`
`
`
`
`
`OMEN(s)}auunjw7odPOO!Veorjuawebeueyy
`
`PEONfAy:—~.OMEN
`
`
`8200}
`
`_~
`
`~
`
`| I
`
`
`
`queweBbeuey8dOMIuonjesnByuoPHUOD
`J8AI9SoulBuuoS|NPOW
`
`TOOTTorLLOL
`
`YOU}
`
`i484u09adulGNvowaBeuen
`
`(s)ulupy——s)uw\iPOT20hnoon(Sump
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`YO00!
`
`Page 12 of 26
`
`Netskope Exhibit 1010
`
`Page 12 of 26
`
`Netskope Exhibit 1010
`
`
`
`
`
`
`

`

`Patent Application Publication
`
`Mar.6, 2014 Sheet 12 of 13
`
`US 2014/0068030 A1
`
`ee,
`
`|
`
`
`uogesnbyuocj(s)uupy~——|FTOZ10bainponJ0001\d/l
`——.HONSGqojuyByuos3INPOW\L001ijuswebeueyy
`
`
`
`PYuodadU1CVNjuawabeuel./N,iy
`ToorTTOr\{eLor
`
`oeec>.oe(s)jouunjwra7™,a\(s}jauunWw7~,{POOLar
`‘\oH:£201
`
`
`.(jausaquy“Ba)MOMION\juaweBbeueyy|jeo1bo7
`
`wee)0=mNaamea7
`aeiane.oeoo8
`
`
`
`
`
`
`(SlaySSe0yWOMEN(S@)yoHMS.(s)qy SS8901JOMJON(Sa)YOUMS
`
`
`
`ZrseainegSTLTTOrS@d1A@(]GtOL
`(sajnoyV/T(siennod
`
`())
`
`e001
`
`
`
`(SYN)isan)
`
`
`
`JU8|DJOMJON}UB|D)YJOMNON
`
`
`
`
`
`
`
`(s)aqnAeq(s)aoineq
`
`60018001
`
`a0}‘Sls
`
`Page 13 of 26
`
`Netskope Exhibit 1010
`
`Page 13 of 26
`
`Netskope Exhibit 1010
`
`
`
`
`
`
`
`

`

`
`
`Patent Application Publication
`
`
`
`
`
`
`Mar.6, 2014 Sheet 13 of 13
`
`
`
`US 2014/0068030 Al
`
`
`
`
`
`Management Server (MS)
`
`1114
`
`
`
`}
`
`
`
`
`
`
`
`
`
`‘N
`WAN
`
`
`
`
`Admin(s)
`
`
`(e.g., Internet}
`4142
`1110
`
`
`
`
`
`
`
`
`
`
`
`NADs
`Gateway! =
`1104
`
`
`Router/
`
`Firewall
`
`4102
`
`
`
`
`
`
`Gateway/
`
`Router/
`
`Firewall
`
`1104
`
`VLAN1
`
`Router 1108 =
`
`yee"
`
`
`
`4126
`
`1124
`
`p>
`
`
`
`VLAN4
`VLAN2
`
`
`
`
`
`916
`
`
`=
`:
`:
`Router 111@¢ mee
`:
`S
`1144
`
`Senessmesres ||[Rouertvee]
`
`
`
`FIG. 11
`
`
`
`VLAN1
`
`
`
`Other Network(s)
`
`4138
`
`
`
`
`
`
`
`
`
`
`Page 14 of 26
`
`Netskope Exhibit 1010
`
`
`
`1120
`4129
`
`
`
`()
`
`
`
`VLAN1 VLAN1|())/
`(yp)
`|
`|
`1112
`Sh
`() WN(9)
`
`
`¢
`taakee VLAN!
`[| ———
`-
`=
`
`Access
`
`
`
`VLAN2
`VLAN1
`Point
`1128
`
`Page 14 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`US 2014/0068030 Al
`
`
`Mar.6, 2014
`
`
`
`METHOD FOR AUTOMATICALLY APPLYING
`
`
`
`
`ACCESS CONTROL POLICIES BASED ON
`
`
`
`
`DEVICE TYPES OF NETWORKED
`
`
`
`COMPUTING DEVICES
`
`
`
`RELATED APPLICATIONS
`
`
`
`
`
`
`
`
`
`[0001] This application claims the benefit of U.S. Provi-
`
`
`
`
`
`
`
`sional Patent Application No. 61/696,000, filed Aug. 31,
`
`
`
`
`
`2012, which is incorporated byreference herein inits entirety.
`
`
`
`
`
`FIELD OF THE INVENTION
`
`
`
`
`
`
`
`
`[0002] Embodiments of the present invention relate gener-
`
`
`
`
`
`
`ally to networking. Moreparticularly, embodiments of the
`
`
`
`
`
`
`
`inventionrelate to automatically applying access control poli-
`
`
`
`
`
`
`
`cies based on device types of networked computing devices.
`
`
`
`
`
`
`
`
`
`
`
`
`DHCP fingerprint string for the device type they wish to
`
`
`
`
`
`
`
`
`
`
`
`assign policies for. They must then log into the controllervia
`
`
`
`
`
`
`command-line interface and type commands to manually
`
`
`
`
`
`
`
`
`configure each rule. Policy assignment is based entirely upon
`
`
`
`
`
`
`
`DHCP fingerprint. This is not an entirely reliable way of
`
`
`
`
`
`
`determining device type, as sometimes a numberofdifferent
`
`
`
`
`
`
`
`
`types of devices may use the same combination of DHCP
`
`
`
`
`
`
`
`
`options. Policy assignmentis fixed on low level details rather
`
`
`
`
`
`
`
`
`than a high level description that can be implemented differ-
`
`
`
`
`
`
`
`
`
`ently over time. For instance, if Apple devices started using
`
`
`
`
`
`
`different DHCP options, it would be necessary to manually
`
`
`
`
`reconfigure the existing solutions.
`
`BRIEF DESCRIPTION OF THE DRAWINGS
`
`
`
`
`
`
`
`
`
`[0007] Embodiments ofthe inventionare illustrated by way
`
`
`
`
`
`
`
`of example andnot limitation in the figures of the accompa-
`
`
`
`
`
`
`
`nying drawings in whichlike references indicate similar ele-
`BACKGROUND
`
`ments.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0003] A physical local area network (LAN) may include
`[0008] FIG.1is a block diagram illustrating a cloud man-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`numerous network access devices (e.g., routers, switches,
`aged network system according to one embodiment of the
`
`
`
`
`
`
`
`
`invention.
`
`wireless access points, etc.) that communicate with one
`
`
`
`
`
`
`
`
`
`
`
`
`another (either directly or indirectly) to provide computing
`FIG. 2 is a block diagram illustrating a mechanism
`[0009]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device(s)(e.g., laptop, smartphone,etc.) access to a wide area
`to determine access control rules or policies based on the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network (WAN). Thus, a network access device (NAD)is a
`device type ofa client device according to one embodimentof
`
`
`
`
`
`
`
`the invention.
`
`
`piece ofnetworking equipment, including hardware andsoft-
`
`
`
`
`
`
`
`
`
`
`
`
`ware, which communicatively interconnects other equipment
`[0010] FIG.3isa block diagram illustrating a data structure
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`on the LAN (e.g., other network elements, computing
`representing access control rules and policies according one
`
`
`
`
`
`
`
`
`embodimentofthe invention.
`
`
`devices). The WAN can include, for example, the Internet,
`
`
`
`
`
`
`
`
`
`
`
`where communication with the WAN is through an interface
`FIGS. 4A and 4B are examples of a graphical user
`[0011]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`such as T1, T3, cable, Digital Subscriber Line (DSL), wire-
`interface for configuring access control rules and policies
`
`
`
`
`
`
`
`
`
`
`
`less (e.g., mobile cell tower), or the like.
`according to certain embodiments of the invention.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0004] The one or more of the network access devices
`FIG. 5isa block diagram illustrating a data structure
`[0012]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`within the LAN that are directly coupled to the WAN or
`representing an access control log according to one embodi-
`
`
`
`
`
`
`
`mentof the invention.
`
`
`directly coupled to an interface device (e.g., a DSL modem)
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`act as a gateway nodefor the LAN(a gateway to the WAN)for
`[0013]
`FIG. 6 is a flow diagram illustrating a method for
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`the other network access devices and network computing
`managing access control rules and policies according to one
`
`
`
`
`
`
`
`
`
`embodimentofthe invention.
`
`
`devices in the LAN. Network access devices that rely on
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(communicate with) one or more other network access
`FIG. 7 is a flow diagram illustrating a method for
`[0014]
`devices to reach the WANact as intermediate nodes of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`managing access control rules and policies according to
`LAN.
`
`another embodimentof the invention.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`[0005] Generally the access control rules must either be
`FIG. 8 is a flow diagram illustrating a method for
`[0015]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`configured manually on each network access device (e.g.
`managing access control rules and policies according to
`
`
`
`
`
`
`another embodimentof the invention.
`individual access points or switches), or if a controller based
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`system is used then the rules are configured on the controller.
`FIG. 9 is a flow diagram illustrating a method for
`[0016]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`Configuring access control rules manually on each network
`managing access control rules and policies according to
`
`
`
`
`
`
`access device is cumbersome, time-consuming and error-
`another embodimentof the invention.
`
`
`
`
`
`
`
`
`
`
`prone. Using a controller-based system simplifies this some-
`
`
`
`
`
`
`FIGS. 10A and 10Bare block diagramsillustrating
`[0017]
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`what, but controllers are expensive and can only support a
`a cloud managed network configuration according to certain
`
`
`
`
`
`
`
`
`limited numberof network access devices each, after which
`embodiments of the invention.
`
`
`
`
`
`
`
`
`
`additional controllers must be deployed and access control
`
`
`
`
`
`FIG. 11 is a block diagram illustrating a network
`[0018]
`
`
`
`
`
`
`
`rules synchronized between them. Also, if many network
`
`
`
`
`
`configuration in accordance with another embodimentof the
`
`
`
`
`
`
`
`access devices are located in geographically disparate loca-
`invention.
`
`
`
`
`
`
`
`
`
`tions, synchronizing the access control rules can be confus-
`
`ing.
`
`
`
`
`
`
`[0006]
`Some network equipment manufacturers allow
`
`
`
`
`
`
`
`
`assignment of access policy based only on dynamic host
`
`
`
`
`
`
`
`configuration protocol (DHCP) fingerprinting of the net-
`
`
`
`
`
`
`
`
`worked computing device. Essentially, one can set rules so
`
`
`
`
`
`
`
`
`
`that a device that usesa particular set of DHCPoptions will be
`
`
`
`
`
`
`automatically assigned to a specific “role” (access policy).
`
`
`
`
`
`
`
`
`This configuration must be done manually using the com-
`mand-line interface on the network access device controller.
`
`
`
`
`
`
`
`
`
`
`
`
`
`Such a configuration is complex anderror-prone.In order to
`
`
`
`
`
`
`
`
`
`set a policy assignmentrule, the user must know the “magic”
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`DETAILED DESCRIPTION
`
`
`
`
`
`
`
`
`
`[0019] Various embodiments andaspects of the inventions
`
`
`
`
`
`
`
`will be described with reference to details discussed below,
`
`
`
`
`
`
`
`
`and the accompanying drawings will illustrate the various
`
`
`
`
`
`
`
`embodiments. The following description and drawings are
`illustrative of the invention and are not to be construed as
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`limiting the invention. Numerous
`specific details are
`
`
`
`
`
`described to provide a thorough understanding of various
`
`
`
`
`
`embodiments of the present invention. However, in certain
`
`
`
`
`
`
`
`instances, well-known or conventional details are not
`
`Page 15 of 26
`
`Netskope Exhibit 1010
`
`Page 15 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`US 2014/0068030 Al
`
`
`Mar.6, 2014
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`worked computing devices, suchas laptops, desktops, tablets,
`described in orderto provide a concise discussion of embodi-
`
`
`
`
`
`
`
`
`
`
`mobile phones, personal digital assistants (PDAs), media
`ments of the present inventions.
`
`
`
`
`
`
`
`
`
`
`players, gaming devices, etc.
`[0020] Reference in the specification to “one embodiment”
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`or “an embodiment” meansthat a particular feature, structure,
`[0025] Referring to FIG. 1, in this example, it is assumed
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`or characteristic described in conjunction with the embodi-
`that network access devices 102-103 are owned by the same
`
`
`
`
`
`ment can be included in at least one embodiment of the
`
`
`
`
`
`
`
`
`organization and administrated by a network administrator
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`invention. The appearances of the phrase “in one embodi-
`107 associated with the organization. Also note that for the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ment”in variousplacesin the specification do not necessarily
`purposeofillustration, although network access device 103 is
`all refer to the same embodiment.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`not shown with details therein, network access device 103 has
`
`
`
`
`
`
`
`the same or similar architecture as network access device 102.
`
`
`
`
`
`
`
`
`[0021] Techniques for automatically assigning access con-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`For the purpose of illustration, only two network access
`trol policies (ACPs) based on device types of network client
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`devices are shown, but additional network access devices may
`devices (NCDs) are described herein. According to some
`
`
`
`
`
`
`
`
`
`
`
`
`
`be coupled to network 104 and managed by management
`embodiments, a system for automatically applying a network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`server 101. Also note that managementserver 101 may man-
`access control policy to a network client device (also referred
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`age network access devices for multiple organizations and
`to as anetworked computing device) is based on characteris-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`managedbydifferent administrators. For example, network
`tics of the device itself, e.g. the device manufacturer orits
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`access device 102 may beassociated with a first enterprise
`operating system. The system automates all of the device
`
`
`
`
`
`
`
`
`
`
`
`
`
`identification mechanisms, so all the network administrator
`that is separate from a second enterprise associated with
`
`
`
`
`
`
`
`
`network access device 103.
`
`
`
`
`needs to do is specify a device type(e.g. “Apple iPhone”) and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which access policy should be applied. When a network
`[0026] According to one embodiment, managementserver
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device first connects to the network, it is examined by the
`101 includes a management module 110 for managing net-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`system, identified by type, and assigned an access policy
`work access devices 102-103. In one embodiment, each of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`according to the specified rules for that device type.
`network access devices 102-103 maintains a persistent tunnel
`
`
`
`
`
`
`
`
`
`
`
`
`
`(e.g., a secure communications channel) with management
`[0022] According to one embodiment, the invention pro-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`server 101 for exchanging network management messages
`vides a system for the automatic assignmentof access control
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(also referred to as an mTunnel). When a network access
`policies to networked computing devicesin wireless or wired
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device such as NAD 102 boots up, NAD 102 connects and
`networks. For example, when using the system, the network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`logs onto management server 101 and management server
`administrator can simply select the type of device (e.g.
`
`
`
`
`
`
`101 authenticates NAD 102. The hardwareidentifier such as
`
`
`
`
`
`
`
`“Android smart phone”or “Apple iPhone”) from a drop-down
`
`
`
`
`
`
`
`
`
`a serial number of NAD 102 is stored in NAD information
`
`
`
`
`
`
`
`list, and then select which pre-defined access control policy
`
`
`
`
`
`
`
`
`
`
`
`
`
`database 111. In addition, NAD 102 may also be assigned
`they want to apply to that type of device.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`with a networkidentifier for the purpose oflogically grouping
`[0023] The system then automates the identification of
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`NAD 102 with some other NADs such as NAD 103. Thus,
`devices by type as well as the assignmentof an access control
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`multiple NADs may be associated with the same network
`policy based on that type. When a networked computing
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`identifier. Managementserver 101 further includes a configu-
`device connects to the network, according to one embodi-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ration interface 112, such as a Web interface, to allow admin-
`ment, the system analyzes networktraffic in order to identify
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`istrator 107 to log into managementserver 101 to enter con-
`the type of device. Device identification is done behind the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`figuration information for configuring NADs 102-103. For
`scenes using multiple methods including DHCPfingerprint-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`example, administrator 107 may specify minimum or high
`ing, extracting User-Agent headers from HTTPtraffic, and
`
`
`
`
`
`
`
`
`
`
`
`
`
`level configuration parameters and management module 110
`determining manufacturer information from OUI lookup in
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`of management server 101 automatically compiles other
`the MACaddress, etc. This data is combined to identify which
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`related or low level configuration information without requir-
`type of device is connecting. Based on the type of device and
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ing the administrator 107 to enter such detailed configuration
`the configuration specified by the network administrator, the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`information, which may be time consuming anderror prone.
`system may then automatically apply an appropriate access
`
`
`
`
`
`
`
`
`
`[0027] According to one embodiment, managementserver
`control policyorrule.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`101 includes an access control policy (ACP) manager 113 to
`[0024] FIG.1is a block diagram illustrating a cloud man-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`manage ACPs 114 and access control rules (ACRs) 115,
`aged network system according to one embodiment of the
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`which may be configured by administrator 107 via configu-
`invention. Referring to FIG.1, system 100 includes,but is not
`ration interface 112. ACPs 114 and ACRs 115 are used to
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`limited to, various network access devices (NADs) 102-103
`control access of network client devices 108-109. ACPs 114
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(which may be wired and/or wireless) managed by a manage-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`refer to a set ofpredefined policies and ACRs 115refer to a set
`ment server (MS) 101 over WAN 104. Managementserver
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`ofrules specifying how ACPs 114 should be applied. An ACR
`101 may be a Web or cloud server, or a cluster of servers,
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`mayitself be an ACP. ACPs 14 and ACRs 115 may be imple-
`running on server hardware. Each of network access devices
`
`
`
`
`
`
`
`102-103 is associated with a LAN such as LANs 105-106.
`
`
`
`
`
`
`
`mented asasingle entity. According to one embodiment, ACP
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`manager transmits ACPs 114 and ACRs115 to each ofnet-
`Network 104 may be the Internet. Network access devices
`work access devices 102-103 over the Internet andthe trans-
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`102-103 may operate as a gateway device, an access point
`mitted ACPs and ACRsare stored in the network access
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`(AP), a network switch, or a combination thereof to LANs
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`devices 102-103, for example, as ACPs 117 and ACRs 118,
`105-106, respectively, where various client devices 108-109
`
`
`
`
`
`
`
`
`
`
`
`
`
`and managed by an access control module (ACM) such as
`can be communicatively coupled to LANs 105-106. Accord-
`ACM 116.
`
`
`
`
`
`
`
`
`ing to one embodiment, a network access device may be a
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`gatewaydevice interfacing a LAN to WAN 104 and performs
`[0028] Forexample, when network access device 102 boots
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`network address translation (NAT)forits clients, which may
`and connects to managementserver 101, management server
`be network client devices 108-109 or other network access
`101 authenticates network access device 102. An mTunnelis
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`devices. A network client device may be any kind of net-
`created between managementserver 101 and network access
`
`Page 16 of 26
`
`Netskope Exhibit 1010
`
`Page 16 of 26
`
`Netskope Exhibit 1010
`
`

`

`
`
`US 2014/0068030 Al
`
`
`Mar.6, 2014
`
`
`
`
`
`
`
`device 102. ACPs 114 and ACRs 115 are then downloaded
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`from managementserver 101 to network access device 102
`via the mTunnel andstored in network access device 102 as
`
`
`
`
`
`
`
`
`
`ACPs 117 and ACRs118. When a client device suchasclient
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`device 108 is associated with network access device 102,
`access control module 116 controls access of client device
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`108 by enforcing ACPs 117 and ACPs118.
`
`
`
`
`
`
`
`
`
`[0029]
`Ifthere is any update concerning ACPs 117 and/or
`
`
`
`
`
`
`
`
`
`ACRs118, access control module 116 transmits the update to
`
`
`
`
`
`
`
`managementserver 101. Inresponse, managementserver 101
`
`
`
`
`
`
`
`broadcasts the update to other remaining network access
`
`
`
`
`
`
`
`
`devices associated with the same organization, such as net-
`
`
`
`
`
`
`
`
`
`
`workaccess device 103. For example, whenclient device 108
`
`
`
`
`
`
`
`
`connects with network access device 102 requesting entering
`
`
`
`
`
`
`
`
`LAN 105in order to access the Internet 104, network access
`
`
`
`
`
`
`
`
`device 102 may examine the corresponding ACRs and/or
`ACPsto control the access of client device 108. In some
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`situations, the ACRs/ACPsassociated with client device 108
`
`
`
`
`
`
`
`
`
`mayindicate thatthe authentication of client device 108 may
`
`
`
`
`
`
`
`
`be performed via a remote captive portal. As a result, network
`
`
`
`
`
`
`
`
`
`access device 102 may redirect the request to the captive
`
`
`
`
`
`
`
`portal for authentication. Upon receiving a successful authen-
`
`
`
`
`
`
`
`
`
`tication signal, network access device 102 may update ACPs
`
`
`
`
`
`
`
`
`117 and/or ACPs 118 to include information indicating that
`
`
`
`
`
`
`
`
`client device 108 has been successfully authenticated. Such
`
`
`
`
`
`
`
`
`an updateis then transmitted (e.g., pushed by network access
`
`
`
`
`
`
`
`device 102 or polled by managementserver 101) to manage-
`
`
`
`
`
`
`
`
`
`ment server 101 and managementserver 101 broadcasts the
`
`
`
`
`
`
`
`update to remaining network access devices such as network
`
`
`
`
`
`
`
`
`access device 103. As a result, both network access devices
`102-103 have the same set of ACPs and ACRs.
`
`
`
`
`
`
`
`
`
`
`
`
`[0030] According to another embodiment, NADs 102-103
`
`
`
`
`
`
`
`
`do not need to push ACRs up to managementserver 101;
`
`
`
`
`
`
`
`rather, management server 101 pushes down the ACRsto
`
`
`
`
`
`
`
`NADs102-103. In one embodiment, a remote captive portal
`
`
`
`
`
`
`
`
`is implemented with the MS 101. So when a NAD device has
`
`
`
`
`
`
`
`
`
`authenticated with the captive portal, the captive portal com-
`
`
`
`
`
`
`
`
`ponentnotifies the NAD immediately (so that the NAD can let
`
`
`
`
`
`
`
`
`
`the device online), and it simply updates the ACRs in the MS
`
`
`
`
`
`
`
`
`directly, at which point the ACRsare transmitted to all the
`other NADs.
`
`
`
`
`
`
`
`
`
`Subsequently, referring back to FIG. 1, when client
`[0031]
`device 108 roams from network access device 102 to network
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`access device 103, network access device 103 can use the
`same ACPs/ACRsto control the access of client device 108.
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`
`In this example, since the updated ACRs/ACPsstored within
`
`
`
`
`
`
`
`network access device 103 include information indicating
`
`
`
`
`
`
`
`
`
`that client device 108 has been previously authenticated (e.g.,
`
`
`
`
`
`
`
`
`
`via network access device 102), network access device 103
`
`
`
`
`
`
`
`
`
`does not need to redirect the request to a remote captive portal
`
`
`
`for authentication again.
`
`
`
`
`
`
`
`[0032] According to one embodiment, each of the ACRs
`
`
`
`
`
`
`
`
`115 specifies one or more access policies or links to one or
`
`
`
`
`
`
`
`
`more ofthe ACPs 114 for a specific network client device (for
`
`
`
`
`
`
`
`example,
`identified by its hardware MAC address) and
`
`
`
`
`
`
`optionally an expiration time. As mentioned above, an access
`
`
`
`
`
`
`
`policy can include a numberof parameters including band-
`
`
`
`
`
`
`
`
`width limits and traffic shaping rules, VLAN assignment,
`
`
`
`
`
`
`
`firewall rules, whether a captive portal should be applied to
`
`
`
`
`
`
`
`
`
`that device, etc. When storing anACR,thespecific rulesofthe
`
`
`
`
`
`
`
`
`
`policy can either be explicitly stated in the ACR, or the ACR
`
`
`
`
`
`
`
`can refer to the identifying numberof a pre-defined ACP 115
`
`
`
`
`
`
`that is already stored elsewhere in the system.
`
`
`
`
`
`
`
`
`
`
`
`[0033]
`Inone embodiment, an example ACRthatexplicitly
`
`
`
`
`specifies an ACP can be defined as follows:
`
`
`
`
`[0034] MACaddress: 00:11:22:33:44:55
`
`
`
`
`
`[0035] Expiration: Apr. 20 2012 23:20:42
`
`
`Policy:
`[0036]
`
`
`
`[0037] Download Bandwidth: 2