Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

12.1.2 Quarantine system overview by linked product

This subsection gives an overview of the quarantine system for each linked product.

Organization of this subsection

(1) Quarantine system linked to JP1/NM

(2) Overview of a quarantine system linked to an authentication server

(3) Quarantine system linked to JP1/Software Distribution (AMT Linkage facility)

(1) Quarantine system linked to JP1/NM

In a quarantine system linked to JP1/NM, clients judged to be a security risk according to the security policy can be disconnected from the network.

The following figure shows a quarantine system linked to JP1/NM.

Figure 12-2 Quarantine system linked to JP1/NM

When a client is denied connection to the network, security measures can be implemented for the client in an offline environment, or in an online environment when using the JP1/NM quarantine support facility.

The following table shows the quarantine processes in a quarantine system linked to JP1/NM.

Table 12-2 Quarantine process (JP1/NM)

No. Quarantine process Description

1 Client security levels are judged, and clients that are a security risk are identified.

2 The network connections of clients judged to be a security risk are denied by JP1/NM.

3 Security measures are implemented for clients whose network connections were denied.

When using the quarantine support facility:
Security measures are implemented in an online environment.

When not using the quarantine support facility:
Security measures are implemented in an offline environment.

4 Client security levels are judged, and those found to be safe are reconnected to the network by JP1/NM.

No.	Quarantine process	Description
1		Client security levels are judged, and clients that are a security risk are identified.
2		The network connections of clients judged to be a security risk are denied by JP1/NM.
3		Security measures are implemented for clients whose network connections were denied. When using the quarantine support facility: Security measures are implemented in an online environment. When not using the quarantine support facility: Security measures are implemented in an offline environment.
4		Client security levels are judged, and those found to be safe are reconnected to the network by JP1/NM.

(2) Overview of a quarantine system linked to an authentication server

In a quarantine system linked to an authentication server, a client's safety is judged based on the security policy, and clients are authenticated by using either IEEE 802.1X or MAC authentication.

If the security level judgment determines that the client is safe, the client is connected to the corporate network. If a client is judged to be unsafe, the client is connected to a special network for unsafe clients. In addition, the client's request to connect to the network can also be rejected.

In this manual, the term for the special network for unsafe clients differs according to whether the VLAN environment is dynamic or static. In a dynamic VLAN environment, quarantine network is used, and in a static VLAN environment, unauthenticated network is used.

The following figure provides an overview of the quarantine system linked to an authentication server in a dynamic VLAN environment.

Figure 12-3 Overview of the quarantine system linked to an authentication server (in a dynamic VLAN environment)

In a dynamic VLAN environment, a client that is a high security risk is connected to the quarantine network, where security measures can be implemented. In this environment, a VLAN is created with a switch.

The following figure provides an overview of the quarantine system linked to an authentication server in a static VLAN environment.

Figure 12-4 Overview of the quarantine system linked to an authentication server (in a static VLAN environment)

In a static VLAN environment, a client that is a high security risk is connected to the unauthorized network, where security measures can be implemented.

In a quarantine system linked to an authentication server, the clients that are permitted to connect to the network according to the action policy are registered in the connection control list of JP1/CSC - Agent, which is used to control client network connection.

The following table shows the quarantine processes in a quarantine system linked to an authentication server.

Table 12-3 Quarantine process (authentication server)

No. Quarantine process Description

1 Client security levels are judged, and clients that are a security risk are identified.
Clients are authenticated by either IEEE 802.1X or MAC authentication.

2 The switch selects the destination for the client connection based on the connection control list as follows:

In a dynamic VLAN environment, unsafe clients are connected to the quarantine network.

In a static VLAN environment, unsafe clients are connected to the unauthenticated network.

3 Security measures are implemented for the clients connected to the quarantine or unauthorized network.

4 The clients are re-authenticated and their security levels are judged again. If the clients are judged to be safe, the switch connects them to the corporate network.

No.	Quarantine process	Description
1		Client security levels are judged, and clients that are a security risk are identified. Clients are authenticated by either IEEE 802.1X or MAC authentication.
2		The switch selects the destination for the client connection based on the connection control list as follows: In a dynamic VLAN environment, unsafe clients are connected to the quarantine network. In a static VLAN environment, unsafe clients are connected to the unauthenticated network.
3		Security measures are implemented for the clients connected to the quarantine or unauthorized network.
4		The clients are re-authenticated and their security levels are judged again. If the clients are judged to be safe, the switch connects them to the corporate network.

(3) Quarantine system linked to JP1/Software Distribution (AMT Linkage facility)

In a quarantine system linked to JP1/Software Distribution (AMT Linkage facility), clients judged to be a security risk according to the security policy can be disconnected from the network.

The following figure shows an overview of a quarantine system linked to JP1/Software Distribution (AMT Linkage facility).

Figure 12-5 Quarantine system linked to JP1/Software Distribution (AMT Linkage facility)

When a client is denied connection to the network, security measures can be implemented for the client in an online environment.

The following table shows the quarantine processes in a quarantine system linked to JP1/Software Distribution (AMT Linkage facility).

Table 12-4 Quarantine process (JP1/Software Distribution (AMT Linkage facility))

No. Quarantine process Description

1 Client security levels are judged, and clients that are a security risk are identified.

2 Connection to the network of clients judged to be a security risk is denied by the AMT Linkage facility of JP1/Software Distribution.

3 Security measures are implemented in an online environment for clients for which connection to the network has been denied.

4 Client security levels are judged, and those found to be safe are reconnected to the network by the AMT Linkage facility of JP1/Software Distribution.

No.	Quarantine process	Description
1		Client security levels are judged, and clients that are a security risk are identified.
2		Connection to the network of clients judged to be a security risk is denied by the AMT Linkage facility of JP1/Software Distribution.
3		Security measures are implemented in an online environment for clients for which connection to the network has been denied.
4		Client security levels are judged, and those found to be safe are reconnected to the network by the AMT Linkage facility of JP1/Software Distribution.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated