Computing networks can include multiple network devices such as routers, switches, hubs, servers, desktop PCs, laptops, and workstations, and peripheral devices, e.g., printers, facsimile devices, and scanners, networked together across a local area network (LAN) and/or wide area network (WAN). Network configuration can be dynamic, with clients connecting to and disconnecting from the network, e.g., a laptop user logging into, and out of, the network periodically, or by changing device characteristics, e.g., adding new printer drivers, or printer types, or software upgrades, etc. Managing compatibility between the devices constituting the network is therefore dynamic as well, for example, by ensuring minimum operating system versions and/or patch levels are being used, clients having minimum versions of device drivers, etc.
There is also a need to protect a network from attacks against vulnerable services, data driven attacks on applications, and host-based attacks such as privilege escalation, denial of service attacks, port scans, unauthorized logins and access to sensitive files, viruses, Trojan horses, and worms, among others. Security measures are dynamic in nature, periodically being modified in response to changes in real and perceived threats, risks, and vulnerabilities. Thus, managing network security is dynamic as well, since virus definitions and checking protocols need to be kept up to date, and client access to the network has to be commensurate with changing client rights and network configuration.
Traditionally, computer networks have been relatively open, with access to data only being restricted by standard account access using passwords, etc. More recently, a paradigm shift has developed whereby a client is now required to authenticate itself to the network before being allowed any network access at all. This adds an extra degree of protection to both network devices, e.g., switches, routers, etc., as well as other network clients and servers, etc. To functionally access a network, a client establishes a physical connection, and proceeds through a pass/fail login process to establish their network compatibility and authority. In previous approaches, if a client lacks network authorization or is significantly incompatible, network access is either denied or severely restricted, thus isolating the client from much of the network. Less severe compatibility issues may be addressed manually, e.g., by a network administrator, or trigger notices of deficiencies and availability of compatibility and/or security upgrades, e.g., new software version(s) and/or updated virus definitions available for voluntary downloading and installation at the user's convenience.
Remote client remediation has thus far been implemented by using a remediation Virtual Local Area Network (VLAN) to isolate clients that are in the remediation process. This prevents such clients from otherwise interfering with normal operation of the network or other clients, e.g., through virus spreading, Denial of Service (DoS) attacks, etc. Typically the remediation VLAN has been distributed throughout the networking devices, e.g., switches, routers, etc., to allow any client to easily be placed on the remediation VLAN. However, this requires network changes when a remediation solution, e.g., software patch, is deployed, making it less attractive.