Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

14.2.1 Example of operating a quarantine system linked to an authentication server in a dynamic VLAN environment (IEEE 802.1X authentication)

This subsection uses an operation example to explain the quarantine processes of a quarantine system linked to an IEEE 802.1X authentication server in a dynamic VLAN environment.

This example is based on the following assumptions:

• Authentication server
  The authentication server OS is Windows Server 2003.
  Note that if the authentication server OS is Windows Server 2008, managed clients cannot receive messages that report the destination network for connection.
  
• Managed clients
  
  • Of clients A and B, an unapplied patch is found only for client B.
  • Client C will be newly added to the network.
• Security policy (judgment policy) setting
  The security level for clients with unapplied patches is judged to be Danger.
  
• Security policy (action policy) setting
  
  • Clients whose security level is Danger are denied access to the network.
  • Clients with any security level other than Danger are permitted access to the network.
• JP1/CSC - Agent setup
  
  • The Network type of Connection information for unregistered asset is set to Quarantined.
  • The Network type of Connection information for refused asset is set to Quarantined.
  • Message notification under Message notification information is set to Notify.

Organization of this subsection

(1) Authentication/inspection process

(2) Isolation process

(3) Treatment process

(4) Recovery process

(1) Authentication/inspection process

In the authentication/inspection process, clients that are a security risk are identified, and clients are authenticated.

The following figure shows the authentication/inspection process (client judgment).

Figure 14-12 Authentication/inspection process (client judgment)

1. Inventory information for clients is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   Inventory information for clients A and B is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

2. JP1/CSC - Manager on the management server judges client B to be Danger.
   JP1/CSC - Manager on the management server compares the inventory information against the judgment policy, and judges client B to be Danger.
   
3. JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to permit (client A) and deny (client B) network connections.
   Based on the action policy, JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to allow client A access to the network, but deny access for client B.
   
4. JP1/CSC - Agent on the authentication server updates the connection control list.
   JP1/CSC - Agent updates the network control list to reflect the action implemented on JP1/CSC - Manager, by setting client A to Permit and client B to Deny.
   
   The following figure shows the authentication/inspection process (client authentication).
   

   Figure 14-13 Authentication/inspection process (client authentication)

   

5. Begin client authentication.
   When the client is restarted, or when the Windows standard supplicant service is restarted or the client network connection is enabled, an authentication request is sent via the switch to Microsoft IAS or Network Policy Server on the authentication server.
   If sending of EAPOL-START packets^# has not been set, the switch requests client authentication based on the authentication interval set on the switch.
   In this example, a new client (client C) will be added to the network.
   

   #

   For details about configuring the supplicant to send EAPOL-START packets, see the description immediately following the table in 13.2.6(2) Setting up the Windows standard supplicant.

6. The switch sends client authentication requests to Microsoft IAS or Network Policy Server on the authentication server.
   The switch requests authentication of clients A, B, and C from Microsoft IAS or Network Policy Server on the authentication server.
   Clients A, B, and C are authenticated according to the IEEE 802.1X standard, based on a user ID and password.
   

(2) Isolation process

In the isolation process, client network connections are controlled based on the security policy.

The following figure shows the isolation process.

Figure 14-14 Isolation process

1. Microsoft IAS or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   After clients A, B, and C have been authenticated, Microsoft IAS or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   
2. JP1/CSC - Agent checks the connection control list, and returns the VLAN-IDs of the clients' connection destinations to Microsoft IAS or Network Policy Server. Microsoft IAS or Network Policy Server then reports these VLAN-IDs to the switch.
   JP1/CSC - Agent on the authentication server checks the connection control list for information about clients A, B, and C. In this case, client A is listed as Permit, and client B is listed as Deny. As no information about client C is listed in the connection control list, client C is deemed an unregistered asset.
   JP1/CSC - Agent returns the VLAN-ID of the quarantined network to Microsoft IAS or Network Policy Server.
   Microsoft Internet Authentication Service or Network Policy Server reports to the switch the quarantine network's VLAN-ID received by JP1/CSC - Agent and the corporate network's VLAN-ID managed by Microsoft Internet Authentication Service or Network Policy Server.
   
3. The switch switches the connection destinations of the clients.
   The switch decides the connection destination for each client based on the VLAN-IDs received from Microsoft IAS or Network Policy Server on the authentication server.
   Client A is connected to the corporate network, and clients B and C are connected to the quarantined network. A message is sent to the clients, notifying them of their connection destination.
   You must now implement security measures on clients B and C, which are connected to the quarantined network.
   

(3) Treatment process

In the treatment process, security measures are implemented on clients denied access to the network. For details about how to implement security measures on clients, see 14.2.5 Implementing security measures on a client.

The following figure shows the treatment process.

Figure 14-15 Treatment process

1. Package the patches, and then register the package in JP1/Software Distribution Manager on the management server.
   Package the patches to be installed, and register the package in JP1/Software Distribution Manager on the management server.
   
2. Distribute the patches from JP1/Software Distribution Manager on the management server.
   On JP1/Software Distribution Manager, execute the patch distribution job. The patches are transferred to JP1/Software Distribution Client (relay system)^# on the treatment server.
   
3. Remotely install the patches on the clients from JP1/Software Distribution Client (relay system)^# on the treatment server.
   Because clients in the quarantined network are permitted to communicate with JP1/Software Distribution Client (relay system)^# on the treatment server, the patches are installed on the client from JP1/Software Distribution Client (relay system)^#. By applying the distributed patch, security measures are implemented on the client.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

Reference note

The user can also implement security measures on a client denied access to the network by manually selecting and installing packages registered with JP1/Software Distribution Manager on the management server.

(4) Recovery process

In the recovery process, clients for which security measures have been implemented are judged and authenticated again, and those judged Safe are reconnected to the network.

The following figure shows the recovery process (repeating client judgment).

Figure 14-16 Recovery process (repeating client judgment)

1. Inventory information for the clients is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   After the patch is applied, the latest inventory information for clients B and C is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

2. JP1/CSC - Manager on the management server judges clients B and C to be safe.
   JP1/CSC - Manager on the management server compares the inventory information against the judgment policy, and finds that all patches are applied. As a result, clients B and C are judged to be Safe.
   
3. JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to permit network connections (for clients B and C).
   Based on the action policy, JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to allow clients B and C access to the network.
   
4. JP1/CSC - Agent on the authentication server updates the connection control list.
   JP1/CSC - Agent on the authentication server updates the connection control list, by implementing an action involving network connection permission.
   The existing connection information for client B in the connection control list is changed from Refuse to Permit.
   Because there is no information about client C in the list, JP1/CSC - Agent registers the MAC address and IP address obtained as part of the inventory information for client C, and sets the connection information for client C to Permit.
   
   The following figure shows the recovery process (repeating client authentication).
   

   Figure 14-17 Recovery process (repeating client authentication)

   

5. Initiate client re-authentication.
   Client re-authentication is performed so that client B and client C can be connected to the corporate network.
   When the client is restarted, the Windows standard supplicant service is restarted, or the client network connection is enabled, an authentication request is sent via the switch to Microsoft IAS or Network Policy Server on the authentication server.
   If sending of EAPOL-START packets^# has not been set, the switch requests client authentication based on the authentication interval set on the switch.
   If client authentication is initiated based on the authentication interval setting of the switch, client A will be re-authenticated as well as clients B and C.
   

   #

   For details about configuring the supplicant to send EAPOL-START packets, see the description immediately following the table in 13.2.6(2) Setting up the Windows standard supplicant.

6. The switch sends client authentication requests to Microsoft IAS or Network Policy Server on the authentication server.
   The switch requests authentication of clients B and C from Microsoft IAS or Network Policy Server on the authentication server.
   Clients B and C are authenticated according to the IEEE 802.1X standard, based on a user ID and password. However, the user ID and password for client A will not be checked, as it has already successfully completed the authentication process.
   
   The following figure shows the recovery process (reconnecting clients to the network).
   

   Figure 14-18 Recovery process (reconnecting clients to the network)

   

7. Microsoft IAS or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   When user authentication of client B and client C has been completed, Microsoft IAS or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   
8. JP1/CSC - Agent on the authentication server checks the connection control list, and returns the VLAN-IDs of the clients' connection destinations to Microsoft IAS or Network Policy Server. Microsoft IAS or Network Policy Server then reports these VLAN-IDs to the switch.
   JP1/CSC - Agent on the authentication server checks the connection control list for information about clients B and C. In this case, clients B and C are listed as Permit.
   JP1/CSC - Agent then notifies Microsoft IAS or Network Policy Server that these clients should be connected to the corporate network, and Microsoft IAS or Network Policy Server reports the VLAN-ID of the corporate network to the switch.
   
9. The switch switches the connection destinations of the clients.
   The switch decides the connection destination for each client based on the VLAN-IDs received from Microsoft IAS or Network Policy Server on the authentication server.
   Clients B and C are connected to the corporate network, and a message is sent to the clients notifying them of their connection destination. If authentication was initiated based on the authentication interval setting of the switch, a message will also be sent to client A.
   

[Contents][Back][Next]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated