As our dependence on our networks and networked devices grows, the security of such networks and network devices becomes even more important. Network designers and system administrators must establish security policies that provide a balance between ease-of-use for users while also protecting the networks and network devices from undesirable events. Most networks and network devices incorporate computer security techniques, such as access control mechanisms, to prevent unauthorized users from accessing the networks or network devices. User authentication is the process of verifying the identity of a user in a computer system, often as a prerequisite to allowing access to resources in the system.
An important issue in securing networks is to ensure that the computer security protection features installed in each device in the network are up-to-date. If the installed computer security protection features are kept up-to-date, the devices will be best protected from attacks by viruses, worms and other threats in general referred to as malware. Recent attacks by viruses and worms have posed a severe security risk, caused significant losses in the productivity of enterprises and put a strain on system administrators. Given the significant economic impact of such attacks, enterprises would like to distribute and apply updates to such computer security protection features that protect against new vulnerabilities as early as possible. However, it is currently virtually infeasible to force pushing such updates to all affected devices. Moreover, some devices, such as laptop computers and other portable devices, may not remain connected to the network at all times and thus would not necessarily be available to receive and process such updates.
Malware can attack a device at various times, depending on the particular security vulnerability exploited by the malware. For example, many typical vulnerabilities can be exploited after the device obtains an IP address or when an application is initiated. By keeping the computer security protection features of a device up-to-date, the device can be secured against known vulnerabilities. Therefore, it is important that the device gets updated as early as possible and, in the best case, before a potential vulnerability is exploited.
It is also important to restrict the access of non-compliant devices to the network. If the computer security protection features of a device cannot be updated, e.g., because the device is not connected to the network, the non-compliant device should be excluded from using the network or certain network services. From a system management perspective, the users of such non-compliant devices should be notified and provided the opportunity to update the device using a restoration service, e.g., that provides an update file or virus definition data.
A need therefore exists for network access control techniques that ensure that the security features of connected devices are up-to-date and that non-compliant devices have limited access, if any. A further need exists for network access control techniques that discover the current state of connected devices and update devices as early as possible in the timeline.