Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

[Contents][Glossary][Index][Back][Next]

13.2.7 Setting up the environment before operation can be started

After completing setup of the management server, authentication server, treatment server, network control devices, and clients, set up the environment before you start operation. The following figure shows the procedures for environment setup.

Figure 13-12 Flow of setup before operation

[Figure]

Organization of this subsection
(1) Setting security policies
(2) Connecting all clients to the network

(1) Setting security policies

Use the Security Policy Management window to set a judgment policy and action policy. For details about setting security policies, see 6. Managing Security Policies.

In the action policy, specify whether to permit or deny network connections for each security level. This ensures that the connection control list for JP1/CSC - Agent is updated, and client network connections can be directed to the appropriate network.

For details about how actions affect the connection control list, see 14.2.4(1) Types of information registered in the connection control list.

(2) Connecting all clients to the network

Before a client can connect to the corporate network, information about the client must be registered in the client control list for JP1/CSC - Agent.

When a client is first introduced into the network, it is treated as an unregistered asset because no information about it is found in the connection control list. In this case, the client is connected to the network specified by the Connection information for unregistered asset setting in JP1/CSC - Agent setup.

The following describes the Quarantined, Refused, Normal, and Unauthenticated settings that can be specified for Connection information for unregistered asset.

(a) When Quarantined is set

The client is connected to the quarantined network, where security measures are implemented on the client. The client is then connected to the corporate network.

To connect an unregistered client to the corporate network:

  1. Initiate client authentication.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval set on the switch.

  2. Implement security measures on the client by communicating with the treatment server.
    Security measures can be implemented on clients in the quarantined network, by communicating with the treatment server.
    By using the software distribution facility of JP1/Software Distribution, the administrator can distribute software from JP1/Software Distribution Manager on the management server, using JP1/Software Distribution Client (relay system) or JP1/Software Distribution SubManager on the treatment server as a relay system. Alternatively, the client can be provided with packages for the user to install.
    For details about the software distribution facility of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    When client inventory information is updated, the latest inventory information is reported to JP1/Software Distribution Manager running on the management server, via JP1/Software Distribution Client (relay system) or JP1/Software Distribution SubManager running on the treatment server.
    When the client is judged safe based on the judgment policy by JP1/CSC - Manager on the management server, an action (to permit a network connection) is implemented according to the action policy. The client information is then recorded as Permit in the JP1/CSC - Agent connection control list.

  3. Re-authenticate the client.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    After security measures have been completed, the client is registered as Permit in the connection control list of JP1/CSC - Agent on the authentication server, and can then connect to the corporate network.

(b) When Refused is set

The client cannot connect to the network. Use the offline machine management functionality provided by JP1/Software Distribution to implement security measures on the client. The client can then connect to the corporate network.

To connect a rejected client to the corporate network:

  1. Initiate client authentication.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    Because Connection information for unregistered asset is set to Refused, the client cannot connect to the network.

  2. Use the offline machine management functionality of JP1/Software Distribution to implement security measures on the client.
    You can use the offline machine management functionality of JP1/Software Distribution to implement security measures on a client in an offline environment. The offline machine management functionality allows you to install software offline, and obtain inventory information from offline machines.
    For details about the offline machine management functionality of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    The inventory information obtained from the offline machine is sent to JP1/Software Distribution Manager on the management server, and the client is judged by JP1/CSC - Manager.
    If the client is judged safe based on the security policy, an action (to permit a network connection) is implemented according to the action policy. The client information is then recorded as Permitted in the JP1/CSC - Agent connection control list.

  3. Re-authenticate the client.
    An authentication request is sent to the authentication server via the switch when the client is restarted, when the Windows standard supplicant service is restarted, or when client network connection that has been disabled is enabled. Note that if sending of EAPOL-START packets is not enabled, the switch requests client authentication at the authentication interval that is set on the switch.
    After security measures have been completed, the client is registered as Permitted in the connection control list of JP1/CSC - Agent on the authentication server, and can then connect to the corporate network.

(c) When Normal is set

The client can already connect to the corporate network, and no special measures are necessary.

However, ensure that security measures have been implemented on the client before it connects to the network.

(d) When Unauthenticated is set

The client is first connected to the unauthenticated network. After security measures have been implemented in the unauthenticated network, the client can be connected to the corporate network.

To connect an unauthenticated client to the corporate network:

  1. Initiate client authentication.
    When the client is restarted or client network connection that has been disabled is enabled, an authentication request is sent to the authentication server via the switch. Note, however, that if the sending of EAPOL-START packets for IEEE 802.1X authentication is not set, the switch requests client authentication at the authentication interval that is set on the switch. If MAC authentication is used, the switch requests client authentication based on the maximum connection time set on the switch.
    Because Unauthenticated is set for Connection information for unregistered asset, the client is connected to the unauthenticated network.

  2. Implement security measures on the client by communicating with the teratment server.
    Security measures for a client connected to the unauthenticated network are implemented through communication with the treatment server from the unauthenticated network.
    When the software distribution function of JP1/Software Distribution is used, JP1/Software Distribution Client (relay system) or JP1/Software Distribution SubManager on the treatment server can be used as a relay system. The relay system allows the administrator to distribute software from the management server (JP1/Software Distribution Manager) or allows the client user to install a package.
    For details about the software distribution function of JP1/Software Distribution, see the manual Job Management Partner 1/Software Distribution Administrator's Guide Volume 1, for Windows systems.
    When the client inventory has been updated, the latest inventory information is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system) or JP1/Software Distribution SubManager.
    JP1/CSC - Manager on the management server judges whether the client is safe based on the judgment policy. If the client is judged safe, an action (permit network connection) is performed according to the action policy settings. At this time, Permitted is registered as client information in the connection control list of JP1/CSC - Agent.

  3. Re-authenticate the client.
    When the client is restarted or when client network connection that has been disabled is enabled, an authentication request is sent to the authentication server via the switch. Note, however, that if sending of EAPOL-START packets for IEEE 802.1X authentication is not set, the switch requests client authentication at the authentication interval that is set on the switch. If MAC authentication is used, the switch requests client authentication based on the maximum connection time set on the switch.
    Clients for which security measures have been implemented are registered as Permitted in the connection control list of JP1/CSC - Agent on the authentication server, and are able to connect to the corporate network.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated