Patent Issued for Segmentation Based Network Security (USPTO 10,574,654)

2020 MAR 09 (NewsRx) -- By a News Reporter-Staff News Editor at Insurance Daily News -- United Services Automobile Association (San Antonio, Texas, United States) has been issued patent number 10,574,654, according to news reporting originating out of Alexandria, Virginia, by NewsRx editors.

The patent’s inventors are Schroeder, Eric David (San Antonio, TX); Haslam, Justin Dax (San Antonio, TX); Brown, Donnette Moncrief (San Antonio, TX).

This patent was filed on November 7, 2017 and was published online on March 9, 2020.

From the background information supplied by the inventors, news correspondents obtained the following quote: “The number and variety of network capable devices has increased greatly in recent years with the advent of ‘smart’ devices. However, the increased the number of devices connected to a network increases the risks of network security breaches. For example, some ‘smart’ devices (e.g., Internet of Things (IoT) devices) can be subject to malicious software attacks and gain access to secure information from other network devices (e.g., computers and smartphones). Improvements in network security that take into account the varied operations of network capable devices are desirable.”

Supplementing the background information on this patent, NewsRx reporters also obtained the inventors’ summary information for this patent: “Implementations of the present disclosure are generally directed to systems and methods for controlling access to network resources by computing devices connected to the network. More particularly, implementations of the present disclosure segment a network into network segments that each provide different access privileges to computing devices that are connected to the segment. For example, in operation, a new computing device is assigned first to a provisioning network. While connected to the provisioning network, a network device determines the properties of the new network capable device. The network device assigns the new computing device to an appropriate network segment based on its properties. Each network segment may provide different network access privileges to the computing devices assigned to it. Thus, the segmentation may serve to separate less secure devices (e.g., IoT devices) from trusted computing devices (e.g., home computers, tablets, smartphones, etc.).

“In general, innovative aspects of the subject matter described in this specification can be embodied in methods that include the actions of receiving, by a network device, a request from a computing device to join a network, where the network is segmented to include a provisioning network, a first network segment, and a second network segment, and the second network segment provides limited network access privileges to computing devices compared to network access privileges provided by the first network segment. Providing the computing device access to the provisioning network. Determining, while the computing device is connected to the provisioning network, properties of the computing device. Selecting which of the first network segment and the second network segment to assign access to the computing device based on the properties of the computing device. Providing security credentials to the computing device for accessing the selected one of the first network segment or the second network segment.

“Other implementations of this aspect include corresponding systems, apparatus, and computer programs, configured to perform the actions of the methods, encoded on computer storage devices. These and other implementations can each optionally include one or more of the following features.

“In some implementations, determining the properties of the computing device includes obtaining identification information associated with the computing device, and accessing the properties of the computing device from a server system based on the identification information.

“In some implementations, determining the properties of the computing device includes providing the computing device access to an observation network segment, wherein the observation network segment prevents the computing device from interacting with other computing devices connected to the network, and determining the properties of the computing device by monitoring operations of the computing device while on the observation network segment.

“In some implementations, selecting which of the first network segment and the second network segment to assign access to the computing device includes selecting the second network segment in response to determining that the computing device is likely an internet of things (IoT) device.

“In some implementations, selecting which of the first network segment and the second network segment to assign access to the computing device includes selecting the first network segment in response to determining that the computing device is likely a trusted computing device.

“In some implementations, selecting which of the first network segment and the second network segment to assign access to the computing device includes determining a trustworthiness of the computing device based on the properties of the computing device, and selecting which of the first network segment and the second network segment to assign access to the computing device based on the trustworthiness of the computing device. In some implementations, determining the trustworthiness of the computing device includes comparing the properties of the computing device to one or more profiles of trusted and untrusted computing devices.

“In some implementations the operations include storing identifying information for the computing device.

“In some implementations, determining the properties of the computing device includes identifying that the device has previously been assigned to one of the first network segment or the second network segment and, in response, reassigning the computing device to a network segment to which it had previously been assigned.

“In some implementations, the properties of the computing device include one or more of: a media access control (MAC) address, computing device type, communication requirements of the computing device, identification of external webservers with which the computing device communicates, location of external webservers with which the computing device communicates, or user specific information stored on the computing device.

“In some implementations, limitations of the limited access privileges of the second network segment include one or more of: access to a limited set of network ports, access to a limited set of external websites, access to a limited set of external servers, a network bandwidth usage limitation, limited access to performing domain name searches (DNS), a file download limitation, or restricted interactions with other computing devices connected to the network.

“In some implementations, the network device is a wireless network router, a wireless network hub, or a network switch.

“In some implementations, providing the security credentials for accessing the selected one of the first network segment or the second network segment includes automatically providing a service set identifier (SSID) of the selected one of the first network segment or the second network segment and a uniquely generated temporary credential to the computing device for accessing the selected one of the first network segment or the second network segment.

“These and other implementations can provide one or more advantages. In some examples, implementations of the present disclosure improve the security of wireless networks. For example, implementations may automatically place new network devices in appropriate network segments based on their operations. Implementations may provide improved network security by segmenting a network and restricting access to various network permissions, protocols, or other network devices and segments based on the needs of each network device. For example, each network segment may be associated with rules that govern the access permissions of devices assigned to that network segment. Implementations may permit the use of relatively unsecure network devices (e.g., some IoT devices) while maintaining a high degree of network security for trusted network devices (e.g., computers, smartphones, tablets, etc.). Implementations may provide improved network security when using IoT devices without the need for individual device level security protocols.

“The details of one or more implementations of the subject matter described in this specification are set forth in the accompanying drawings and the description below. Other features, aspects, and advantages of the subject matter will become apparent from the description, the drawings, and the claims.”

The claims supplied by the inventors are:

“What is claimed is:

“1. A network access control system comprising: at least one network device configured to perform operations comprising: receiving a request from a computing device to join a network, the network being segmented to include a provisioning network, a first network segment, and a second network segment, wherein the second network segment provides limited network access privileges to computing devices compared to network access privileges provided by the first network segment; providing the computing device access to the provisioning network; determining, while the computing device is connected to the provisioning network, properties of the computing device; selecting, based on the properties of the computing device, which of the first network segment and the second network segment to assign access to the computing device; and automatically providing, to the computing device, a service set identifier (SSID) of the selected one of the first network segment or the second network segment and a uniquely generated temporary credential to the computing device for accessing the selected one of the first network segment or the second network segment.

“2. The system of claim 1, wherein determining the properties of the computing device comprises: obtaining identification information associated with the computing device; and accessing, based on the identification information, the properties of the computing device from a server system.

“3. The system of claim 1, wherein determining the properties of the computing device comprises: providing the computing device access to an observation network segment, wherein the observation network segment prevents the computing device from interacting with other computing devices connected to the network; and determining the properties of the computing device by monitoring operations of the computing device while on the observation network segment.

“4. The system of claim 1, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises selecting the second network segment in response to determining that the computing device is likely an internet of things (IoT) device.

“5. The system of claim 1, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises selecting the first network segment in response to determining that the computing device is likely a trusted computing device.

“6. The system of claim 1, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises: determining, based on the properties of the computing device, a trustworthiness of the computing device; and selecting which of the first network segment and the second network segment to assign access to the computing device based on the trustworthiness of the computing device.

“7. The system of claim 6, wherein determining the trustworthiness of the computing device comprises comparing the properties of the computing device to one or more profiles of trusted and untrusted computing devices.

“8. The system of claim 1, wherein the operations further comprise storing identifying information for the computing device.

“9. The system of claim 1, wherein determining the properties of the computing device comprises identifying that the computing device has previously been assigned to one of the first network segment or the second network segment and, in response, reassigning the computing device to a network segment to which it had previously been assigned.

“10. The system of claim 1, wherein the properties of the computing device include one or more of: a media access control (MAC) address, computing device type, communication requirements of the computing device, identification of external webservers with which the computing device communicates, location of external webservers with which the computing device communicates, or user specific information stored on the computing device.

“11. The system of claim 1, wherein limitations of the limited network access privileges of the second network segment comprise one or more of: access to a limited set of network ports, access to a limited set of external websites, access to a limited set of external servers, a network bandwidth usage limitation, limited access to performing domain name searches (DNS), a file download limitation, or restricted interactions with other computing devices connected to the network.

“12. The system of claim 1, wherein the at least one network device is a wireless network router, a wireless network hub, or a network switch.

“13. A network device comprising: at least one processor; and a data store coupled to the at least one processor having instructions stored thereon which, when executed by the at least one processor, causes the at least one processor to perform operations comprising: receiving a request from a computing device to join a network, the network being segmented to include a provisioning network, a first network segment, and a second network segment, wherein the second network segment provides limited network access privileges to computing devices compared to network access privileges provided by the first network segment; providing the computing device access to the provisioning network; determining, while the computing device is connected to the provisioning network, properties of the computing device; selecting, based on the properties of the computing device, which of the first network segment and the second network segment to assign access to the computing device; and automatically providing, to the computing device, a service set identifier (SSID) of the selected one of the first network segment or the second network segment and a uniquely generated temporary credential to the computing device for accessing the selected one of the first network segment or the second network segment.

“14. The network device of claim 13, wherein determining the properties of the computing device comprises: obtaining identification information associated with the computing device; and accessing, based on the identification information, the properties of the computing device from a server system.

“15. The network device of claim 13, wherein determining the properties of the computing device comprises: providing the computing device access to an observation network segment, wherein the observation network segment prevents the computing device from interacting with other computing devices connected to the network; and determining the properties of the computing device by monitoring operations of the computing device while on the observation network segment.

“16. The network device of claim 13, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises selecting the second network segment in response to determining that the computing device is likely an internet of things (IoT) device.

“17. The network device of claim 13, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises selecting the first network segment in response to determining that the computing device is likely a trusted computing device.

“18. The network device of claim 13, wherein selecting which of the first network segment and the second network segment to assign access to the computing device comprises: determining, based on the properties of the computing device, trustworthiness of the computing device by comparing the properties of the computing device to one or more profiles of trusted and untrusted computing devices; and selecting which of the first network segment and the second network segment to assign access to the computing device based on the trustworthiness of the computing device.

“19. A computer-implemented network access control method executed by at least one processor, the method comprising: receiving a request from a computing device to join a network, the network being segmented to include a provisioning network, a first network segment, and a second network segment, wherein the second network segment provides limited network access privileges to computing devices compared to network access privileges provided by the first network segment; providing the computing device access to the provisioning network; determining, while the computing device is connected to the provisioning network, properties of the computing device; selecting, based on the properties of the computing device, which of the first network segment and the second network segment to assign access to the computing device; and automatically providing, to the computing device, a service set identifier (SSID) of the selected one of the first network segment or the second network segment and a uniquely generated temporary credential to the computing device for accessing the selected one of the first network segment or the second network segment.

“20. The method of claim 19, wherein determining the properties of the computing device comprises identifying that the computing device has previously been assigned to one of the first network segment or the second network segment and, in response, reassigning the computing device to a network segment to which it had previously been assigned.”

For the URL and additional information on this patent, see: Schroeder, Eric David; Haslam, Justin Dax; Brown, Donnette Moncrief. Segmentation Based Network Security. U.S. Patent Number 10,574,654, filed November 7, 2017, and published online on March 9, 2020. Patent URL: http://patft.uspto.gov/netacgi/nph-Parser?Sect1=PTO1&Sect2=HITOFF&d=PALL&p=1&u=%2Fnetahtml%2FPTO%2Fsrchnum.htm&r=1&f=G&l=50&s1=10,574,654.PN.&OS=PN/10,574,654RS=PN/10,574,654

(Our reports deliver fact-based news of research and discoveries from around the world.)