![[Contents]](FIGURE/CONTENT.GIF)
![[Glossary]](FIGURE/GLOSS.GIF)
![[Index]](FIGURE/INDEX.GIF)
![[Back]](FIGURE/FRONT.GIF)
![[Next]](FIGURE/AFTER.GIF)
Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide
This subsection explains the basic configuration and network configuration of a quarantine system linked to an IEEE 802.1X authentication server, and the configuration of the network. It also explains the configuration of a system containing multiple authentication servers.
- Organization of this subsection
- (1) Basic configuration of a quarantine system linked to an authentication server
- (2) Network configuration of a quarantine system linked to an authentication server
- (3) System configuration containing multiple authentication servers
(1) Basic configuration of a quarantine system linked to an authentication server
The following figure shows the basic configuration of a quarantine system linked to an authentication server.
Figure 12-7 Basic configuration of quarantine system linked to an authentication server
- Management terminal
- A management terminal is used by an administrator to reference the asset management database, manage client asset information, monitor the status of client security measures, and implement actions. It uses the GUI for AIM.
- Management server
- A management server manages inventory information in an asset management database, judges client security levels according to the security policy, and implements actions appropriate to these security levels.
- It also packages files used to implement the security measures, such as software patches.
- Authentication server
- The authentication server uses either IEEE 802.1X or MAC authentication to authenticate clients.
- The server also updates the connection control list based on a management server action (whether to permit network connection) and the network control command (cscnetctrl) received from a remote management server. In addition, the server instructs the switch to select the destination for client connection based on the connection control list.
- Remote management server
- A system configuration with a remote management server is set up to automatically update judgment policies for anti-virus products by linkage with the anti-virus product installed on the remote management server, or to control client network connections from another system.
- Install JP1/CSC - Manager Remote Option on the remote management server.
- Client subject to judgment policy automatic updating
- This client contains an anti-virus product linked with automatic judgment policy updating for anti-virus products. This client is required to automatically update judgment policy definitions for anti-virus products based on the update information for the anti-virus product installed on the client.
- Treatment server
- A treatment server communicates with clients connected to the quarantined network, in order to implement security measures on those clients.
- By installing Microsoft Software Update Services and an anti-virus product on the treatment server, security measures that use these products can be implemented.
- Note that Microsoft Software Update Services and the anti-virus product can be installed on separate machines.
- Client
- A client is the entity that is managed in a quarantine system. A client sends inventory information to the management server, which judges the security level of the client for the inventory information based on the security policy.
- Note that if IEEE 802.1X authentication is used, the Windows standard supplicant supporting this type of authentication is required.
- Switch
- A switch supporting either IEEE 802.1X or MAC authentication.
- In a dynamic VLAN environment, the switch selects the destination for client connection in the VLAN based on the network connection control instruction from the authentication server. In a static VLAN environment, the switch controls connection of the client to the corporate network according to the authentication result on the authentication server.
(2) Network configuration of a quarantine system linked to an authentication server
The following explains the network configuration of a quarantine system linked to an authentication server.
(a) In a dynamic VLAN environment
In a quarantine system linked to an authentication server in a dynamic VLAN environment, a VLAN containing a switch that supports IEEE 802.1X authentication is used to set up the networks, such as the corporate and quarantine networks.
The following figure shows an example of the network configuration of a quarantine system linked to an authentication server in a dynamic VLAN environment.
Figure 12-8 Example of the network configuration of a quarantine system linked to an authentication server (dynamic VLAN environment)
VLANs are used to isolate the quarantined network where client security measures are implemented, the network where the treatment server resides, and the corporate network. The quarantined network will be allowed to communicate with the network where the treatment server resides.
For details about the recommended network configuration and communication between networks, see 13.2.3 Setting up the network control device (dynamic VLAN environment).
(b) In a static VLAN environment
In a quarantine system linked to an authentication server in a static VLAN environment, a switch supporting IEEE 802.1X or MAC authentication is used to isolate the corporate and unauthenticated networks from each other.
The following figure shows an example of the network configuration of a quarantine system linked to an authentication server in a static VLAN environment.
Figure 12-9 Example of the network configuration of a quarantine system linked to an authentication server (static VLAN environment)
Connection of unsafe clients to the corporate network is controlled so that these clients are connected to the unauthenticated network, which is set to allow communication only with a network that contains a treatment server.
For details about the recommended network configuration, see 13.2.4 Setting up the network control device (static VLAN environment).
(3) System configuration containing multiple authentication servers
If there are too many clients to be managed smoothly with a quarantine system linked to only one authentication server, you can add authentication servers to distribute the authentication processing.
The following figure shows a system configuration that contains more than one authentication server.
Figure 12-10 System configuration containing multiple authentication servers
All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated
![[Figure]](FIGURE/ZU122000.GIF)
![[Figure]](FIGURE/ZU122100.GIF)
![[Figure]](FIGURE/ZU122150.GIF)
![[Figure]](FIGURE/ZU122200.GIF)