One important job for an information technology department in a corporation or other entity is to enforce a given security policy or policies concerning user's computers. In many cases, a security policy requires that each client computer having access to a computer network comply with certain requirements designed to combat computer malware such as viruses, worms, etc. Enforcement of a security policy within a computer network is a critical part of computer security.
Computer networks can be found most anywhere, from corporations, government and education to individual's homes. Because it can be easy to join a computer network, any virus-infected computer joining the network can potentially spread the virus to any computer or device on the network. And the user of the computer might not even be aware that his or her computer is infected. As such, most computer networks follow a simple routine when a new computer attempts to join the network. Assuming that the network implements a particular security policy, a new computer attempting to join the network is first investigated to see whether it complies with the security policy or not. If not, the new computer may be denied access to the network, may be redirected to a different network, or may only be allowed access to the network for a very short period of time.
Unfortunately, many existing systems designed to enforce network security policies require installation of software on the client computer or steps to be performed on the client computer as part of the enforcement. These systems require interaction between the client computer and the network which can be complex, expensive and time-consuming. For example, U.S. patent publication No. US 2004/0103310 describes a technique for enforcing a security policy, but requires that a separate software module be present on each client computer in order to determine whether the client computer is in compliance with the security policy. Further, this technique also requires a separate DHCP proxy server separate from the actual DHCP server.
Other techniques require changes to the switch or router used by a particular client computer which can be disruptive. In addition, while a particular enforcement technique might insure that a client computer is in compliance with the security policy when the client computer first joins the network, the client computer might fall out of compliance some time after joining the network and then be infected by a computer virus, thus putting the computer network at risk.
A technique is desired that would allow a computer network to constantly enforce a security policy on its various client computers without requiring additional modifications to each client computer or to the network.