Search

US-12621169-B2 - Secure attestation of endpoint capability

US12621169B2US 12621169 B2US12621169 B2US 12621169B2US-12621169-B2

Abstract

There is disclosed a system and method of providing services on a home gateway, including providing a set of security scans for traffic to and from a plurality of devices on a home network; cryptographically verifying that a secured device from the plurality of devices provides for itself internal security services; and based on the cryptographic verification, skipping at least one security scan of the set of security scans for traffic of the secured device.

Inventors

  • Tirumaleswar Reddy Konda
  • Shashank Jain
  • Piyush Pramod Joshi
  • Himanshu Srivastava

Assignees

  • MCAFEE, LLC

Dates

Publication Date
20260505
Application Date
20240226

Claims (20)

  1. 1 . A method of providing services on a consumer home gateway, comprising: providing a set of security scans for traffic to and from a plurality of devices on a consumer home network; for a first class of devices, comprising one or more devices that do not cryptographically attest a security posture, providing the full set of security scans; for a second class of devices, comprising one or more devices that do cryptographically attest a security posture that includes satisfactory device-local security services, skipping at least one security scan of the set of security scans.
  2. 2 . The method of claim 1 , further comprising receiving a home gateway certificate from a certificate authority, and using the home gateway certificate in cryptographically verifying that the secured device provides for itself internal security services.
  3. 3 . The method of claim 2 , wherein using the home gateway certificate comprises authenticating the home gateway with the secured device via the home gateway certificate.
  4. 4 . The method of claim 2 , wherein using the home gateway certificate comprises making a provisional secure connection with the secured device, and sending the home gateway certificate via the provisional secure connection.
  5. 5 . The method of claim 1 , further comprising provisioning a root certificate for the home gateway.
  6. 6 . The method of claim 5 , further comprising provisioning an endpoint certificate to the secured device, wherein cryptographically verifying comprises authenticating the endpoint certificate against the root certificate.
  7. 7 . The method of claim 1 , wherein cryptographically verifying comprises performing a certificate exchange between the home gateway and the secured device.
  8. 8 . The method of claim 1 , wherein cryptographically verifying comprises receiving an attested security capability report from the secured device, and verifying the attested security capability report.
  9. 9 . The method of claim 1 , wherein cryptographically verifying comprises verifying that the secured device includes a trusted software security agent.
  10. 10 . The method of claim 1 , wherein cryptographically verifying comprises verifying that the secured device includes a minimum operating system version.
  11. 11 . The method of claim 1 , wherein cryptographically verifying comprises verifying that the secured device includes a trusted browser extension.
  12. 12 . The method of claim 1 , further comprising provisioning an endpoint certificate to the secured device via enrollment over secure transport (EST).
  13. 13 . The method of claim 1 , further comprising providing gateway routing via the home gateway.
  14. 14 . The method of claim 1 , further comprising providing wireless access point (WAP) services routing via the home gateway.
  15. 15 . One or more tangible, nontransitory computer-readable storage media comprising instructions to provide a home gateway, the instructions to instruct a processor to: provide a set of security scans for traffic to and from a plurality of devices on a consumer home network; for a first class of devices, comprising one or more devices that do not cryptographically attest a security posture, provide the full set of security scans; for a second class of devices, comprising one or more devices that do cryptographically attest a security posture that includes satisfactory device-local security services, skip at least one security scan of the set of security scans for traffic of the secured device.
  16. 16 . The one or more tangible, nontransitory computer-readable storage media of claim 15 , wherein the instructions are further to receive a home gateway certificate from a certificate authority, and use the home gateway certificate in cryptographically verifying that the secured device provides for itself internal security services.
  17. 17 . The one or more tangible, nontransitory computer-readable storage media of claim 16 , wherein using the home gateway certificate comprises authenticating the home gateway with the secured device via the home gateway certificate.
  18. 18 . The one or more tangible, nontransitory computer-readable storage media of claim 16 , wherein using the home gateway certificate comprises making a provisional secure connection with the secured device, and sending the home gateway certificate via the provisional secure connection.
  19. 19 . A home gateway, comprising: a hardware platform comprising a processor circuit and a memory; and instructions encoded within the memory to instruct the processor circuit to: provide a set of security scans for traffic to and from a plurality of devices on a consumer home network; for a first class of devices, comprising one or more devices that do not cryptographically attest a security posture, provide the full set of security scans; for a second class of devices, comprising one or more devices that do cryptographically attest a security posture that includes satisfactory device-local security services, skip at least one security scan of the set of security scans for traffic of the secured device.
  20. 20 . The home gateway of claim 19 , wherein the instructions are further to receive a home gateway certificate from a certificate authority, and use the home gateway certificate in cryptographically verifying that the secured device provides for itself internal security services.

Description

CROSS REFERENCE TO RELATED APPLICATION This application claims priority to U.S. patent application Ser. No. 17/219,411, titled “Secure Attestation of Endpoint Capability,” filed on 31 Mar. 2021, which is incorporated herein by reference in its entirety. FIELD OF THE SPECIFICATION This application relates in general to computer security, and more particularly, though not exclusively, to a system and method of providing secure attestation of endpoint capability. BACKGROUND Home routers (e.g., for families) and enterprise gateway devices may collectively be referred to as a “home gateway.” The home gateway provides a home network for an endpoint, which may be the network that the endpoint is most commonly connected to, i.e., at a “home” location. In some cases, the home gateway provides network security services, such as packet scanning or similar. BRIEF DESCRIPTION OF THE DRAWINGS The present disclosure is best understood from the following detailed description when read with the accompanying FIGURES. It is emphasized that, in accordance with the standard practice in the industry, various features are not necessarily drawn to scale, and are used for illustration purposes only. Where a scale is shown, explicitly or implicitly, it provides only one illustrative example. In other embodiments, the dimensions of the various features may be arbitrarily increased or reduced for clarity of discussion. Furthermore, the various block diagrams illustrated herein disclose only one illustrative arrangement of logical elements. Those elements may be rearranged in different configurations, and elements shown in one block may, in appropriate circumstances, be moved to a different block or configuration. FIG. 1 is a block diagram of selected elements of a home network. FIGS. 2A-2B are block diagrams of a security ecosystem illustrating partial and full connections. FIG. 3 is a block diagram of a gateway. FIG. 4 is a block diagram of an agentless endpoint. FIG. 5 is a block diagram of an agentful endpoint. FIGS. 6A-6B are a flowchart of a method that may be performed by a home gateway, or other server type device. FIG. 7 is a flowchart of a method that may be performed, for example, by an endpoint in an ecosystem. FIG. 8 is a flowchart of a method that may be performed by an endpoint device operating a security agent. FIG. 9 is a block diagram of selected elements of a hardware platform. FIG. 10 is a block diagram of selected elements of a system-on-a-chip (SoC). FIG. 11 is a block diagram of selected elements of a trusted execution environment (TEE). FIG. 12 is a block diagram of selected elements of a network function virtualization (NFV) infrastructure. FIG. 13 is a block diagram of selected elements of a containerization infrastructure. SUMMARY There is disclosed a system and method of providing services on a home gateway, including providing a set of security scans for traffic to and from a plurality of devices on a home network; cryptographically verifying that a secured device from the plurality of devices provides for itself internal security services; and based on the cryptographic verification, skipping at least one security scan of the set of security scans for traffic of the secured device. EMBODIMENTS OF THE DISCLOSURE The following disclosure provides many different embodiments, or examples, for implementing different features of the present disclosure. Specific examples of components and arrangements are described below to simplify the present disclosure. These are, of course, merely examples and are not intended to be limiting. Further, the present disclosure may repeat reference numerals and/or letters in the various examples. This repetition is for the purpose of simplicity and clarity and does not in itself dictate a relationship between the various embodiments and/or configurations discussed. Different embodiments may have different advantages, and no particular advantage is necessarily required of any embodiment. Many vendors provide home gateway devices for individuals, families, enterprises, and other organizations. For example, MCAFEE, LLC's Secure Home Platform (SHP) provides a secure home gateway for families and individuals, while MCAFEE, LLC also provides a number of enterprise-class home gateways for larger concerns. The network security services could include, for example, packet scanning, deep packet inspection, routing, forwarding, antivirus and anti-malware services, reputation-based security (including URL reputation security), and others. In some cases, a home gateway may operate in a relatively constrained computational environment. For example, family or individual-oriented home gateways such as SHP may commonly run on an application-specific integrated circuit (ASIC) with limited memory, and with a relatively limited set of instructions stored on a read-only memory (ROM). While it is possible to provide a home gateway with much greater computational abilities—and indeed, in the enterprise