This invention relates to remediation management and control by a switch for a plurality of served client devices. As used herein remediation refers to the need for client devices to receive a software update or to have a virus infection or the like neutralized. This invention is especially, but not exclusively, suited for remediation management for a segregated group of clients such as in a corporate or university local area network (LAN) of clients.
Various ways have been utilized to provide remediation for clients in a network. In a typical example, a group of clients in a corporate LAN is provided with a variety of services including access to the Internet. Despite security measures to minimize the risk of clients contracting a virus or other infecting agents, one or a subgroup of clients may become infected. A person in charge of administering the corporate LAN can manually enter the identity of each of the infected clients at the switch through which the clients' TCP/IP communications are processed in order to restrict infected client communications to only a designated server that can provide assistance in neutralizing the infection. However, such a solution requires the intervention of the administrator. Further, processing of the identities (individual client addresses) of the infected clients at a control switching node adversely impacts its handling capacity in view of the additional processing burden placed on it by having to screen access requests to determine if the request is made by an infected client. Also storage of each of the client addresses of the infected clients at a control switching node may be limited due to the amount of memory capacity of the responsible switching element. A requirement for specific clients to download software updates results in similar burdens and disadvantages since the identity of the specific clients have to be entered into the control communication switch and processed in a similar manner. Thus, a need exists for an improved remediation process.
It is an object of the present invention to satisfy this need.
An exemplary method directs client devices in a computing network to a remediation node. A subset of the client devices to receive remediation services is identified with a single common label. Upon determining that one of the client devices originating a communication request packet is identified by the single common label, processing the communication request packet by routing the communication request packet to a redirection server, and transmitting from the redirection server to the one client device a hypertext transfer protocol (HTTP) command specifying that the one client device redirect communications to the remediation node so that remediation services can be supplied to the one client device via the remediation node.
An exemplary switch in accord with the present invention implements the above method.
Features of exemplary implementations of the invention will become apparent from the description, the claims, and the accompanying drawings in which:
One aspect of the present invention resides in the recognition that known approaches for providing remediation services are not scalable. That is, each client that is to receive remediation services must be individually identified by a switch providing management of the remediation services so that adding clients to receive remediation services causes a proportional increase in computational loading and in memory resources used by the switch to store individual client identities. The ability to apply a single label to a group of clients needing remediation services enables the switch to recognize these individual clients based on the single group label and provides a scalable solution that minimizes the resources and processing required by the switch in providing remediation management.
Another aspect of the present invention resides in the automated redirection of the client to the remediation server, where known prior approaches have not provided this capability. A further aspect of the present invention resides in automatically informing the client that the client has been quarantined.
A ternary content addressable memory (TCAM) 64 is coupled to the microprocessor 50 and provides a special type of memory operation. With a normal computer memory such as RAM, an operating system provides an address and receives the data stored at the supplied address in return. With content addressable memory, the operating system supplies the data and in return receives a list of addresses where the data is stored, if it finds any. It generally searches the entire memory in one operation and is hence faster than conventional RAM. A ternary type of CAM allows an input request to match a third state, where the third state may comprise a mask, i.e. may have any desired value/content such as a single common label as described below. The functioning of the switch 22 will be described in greater detail below with regard to the exemplary methods.
The elements in
A general overview will be helpful in understanding the detailed description of an exemplary embodiment of a method in accordance with the present invention. A list of pre-identified clients requiring remediation services identifies these clients by MAC address. Each of these identified clients are assigned a common group label, i.e. a quarantine group label “Q”. Members of the quarantine group are prevented from accessing network resources except for a predefined remediation server or remediation web site. When a member of the quarantine group attempts to access another web service, the traffic is intercepted by the switch which causes an HTTP redirect command to be sent to the PC of the originating member. The redirect command causes the client browser of the member's PC to access a predefined remediation web site/server. The member can then receive appropriate remediation services, such as by taking actions to neutralize a virus affecting the member's PC or downloading software patches required to update programs residing on the member's PC. Preferably the remediation web site/server causes the client's PC to display an explanation of why the client is being redirected to the remediation site and instructions of how to proceed with the remediation action, if any manual intervention by the client is needed. Following the successful completion of the remediation, the quarantine group label is removed from association with the MAC address of the member thereby restoring general network access for the member, i.e. subsequent traffic initiated by the member's PC will be normally routed (or bridged) to the intended destination. This mechanism informs the client that it has been quarantined and permits the client to complete remediation services without requiring a manual assistance or intervention by an administrator.
The below exemplary L2 Table, which may be represented by the MAC group list table 74 in
The following table showing TCAM packet handling for client origination requests will be helpful in understanding the exemplary method that follows. In this example, the TCAM 64 has responsibility for handling ingress packets from clients. The three rows in this table illustrate how the TCAM will handle packets that originate from a client needing remediation services, i.e. Group ID=Q, based on the three specified conditions. A packet originating from a client that does not require remediation services, i.e. Group ID=0, will be handled in a conventional manner, e.g. where the TCAM permits the packet(s) to be directed toward the port/node as determined by a forwarding engine, i.e. the TCAM will not overwrite the forwarding decisions made by the forwarding engine. The TCAM packet handling table will be further explained in connection with the exemplary method.
A YES determination by step 120, indicating that the subject packet is not destined to the remediation server and is an HTTP packet, results in the TCAM copying/transferring the packet to the microprocessing unit of the switch for handling as indicated in step 130. In step 135 a determination is made by the switch of whether the subject packet is the first packet in a sequence, e.g. whether an originating SYN flag in a TCP connection is set. A NO determination by step 135 results in an existing entry from a NAT table being used. If there is no existing entry in the NAT table, the packet is dropped/discarded. Every packet between the client and the switch needs to be NAT-ed in and out, till the TCP connection is closed by the remediation server. A YES determination by step 135 starts a network address translation (NAT) process of the destination IP address in which an entry is created in the NAT table and a TCP port address that is internal to the switch in step 145, and saves this information to be used by the reverse traffic as well as subsequent packets of this stream. In step 150 the switch sends this NAT'ed packet to its TCP/IP processing stack for connection between the client and an internally implemented redirection server at the TCP port that is internal to the switch. In step 155 the redirection server sends an HTTP redirect command, e.g. HTTP redirect code 301, to the client, which is reverse NAT'ed to the client using the saved information of step 145, and closes the TCP connection with the redirection server. Alternatively, if a remediation server is not available or has not yet been configured to provide the required remediation services, the redirection server can provide a web page to the client indicating the quarantine status of the client prior to closing the connection.
In step 160 the browser of the client's PC receives the redirection packet from the switch, spoofed (by virtue of the NAT process) as being from the original destination of the HTTP request, and redirects itself to the remediation server. It will be noted that the TCAM will allow access by the client's PC to the remediation server in accordance with the condition in row two in the TCAM table. In step 165 the client has completed the implementation of the required remediation services, e.g. virus detection and eradication, or download of a software update. Depending upon the nature of the remediation services required, the remediation process may be completed without any manual intervention or input from the client. In step 170 the L2 table is updated following the client's completion of the remediation process to remove the subject client from quarantine status. Following the updating of the L2 table, the group label will not show the subject client as requiring remediation services and will therefore cause the TCAM and the microprocessor of the switch to route packets originated by the client in a normal manner toward the intended destination.
Although exemplary implementations of the invention have been depicted and described in detail herein, it will be apparent to those skilled in the art that various modifications, additions, substitutions, and the like can be made without departing from the spirit of the invention. For example, a TCAM is not a requirement for practicing an embodiments of the present invention. Any architecture that is capable of identifying a single label applicable to a plurity of clients could be utilized. The functionality of the elements of
The scope of the invention is defined in the following claims.