Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

14.2.2 Example of operating a quarantine system linked to an authentication server in a static VLAN environment (MAC authentication)

This subsection uses an operation example to explain the quarantine processes of a quarantine system linked to a MAC authentication server in a static VLAN environment.

This example is based on the following assumptions:

• Authentication server
  The authentication server OS is Windows Server 2003.
  Note that if the authentication server OS is Windows Server 2008, managed clients cannot receive messages that report the destination network for connection.
  
• Managed clients
  
  • Of clients A and B, an unapplied patch is found only for client B.
  • Client C will be added to the network.
• Security policy (judgment policy) setting
  The security level for clients with unapplied patches is judged to be Danger.
  
• Security policy (action policy) setting
  
  • Clients whose security level is Danger are denied access to the network.
  • Clients with any security level other than Danger are permitted access to the network.
• JP1/CSC - Agent setup
  
  • The Network type of Connection information for unregistered asset is set to Unauthenticated.
  • The Network type of Connection information for refused asset is set to Unauthenticated.
  • Message notification under Message notification information is set to Notify.

Organization of this subsection

(1) Authentication/inspection process

(2) Isolation process

(3) Treatment process

(4) Recovery process

(1) Authentication/inspection process

In the authentication/inspection process, clients that are a security risk are identified, and clients are authenticated.

The following figure shows the authentication/inspection process (client judgment).

Figure 14-19 Authentication/inspection process (client judgment)

1. Inventory information for clients is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   Inventory information for clients A and B is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

2. JP1/CSC - Manager on the management server judges client B to be Danger.
   JP1/CSC - Manager on the management server compares the inventory information against the judgment policy, and judges client B to be Danger.
   
3. JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to permit (client A) and deny (client B) network connections.
   Based on the action policy, JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to allow client A access to the network, but deny access for client B.
   
4. JP1/CSC - Agent on the authentication server updates the connection control list.
   JP1/CSC - Agent updates the network control list to reflect the action implemented on JP1/CSC - Manager, by setting client A to Permit and client B to Deny.
   
   The following figure shows the authentication/inspection process (client authentication).
   

   Figure 14-20 Authentication/inspection process (client authentication)

   

5. The switch starts client authentication.
   When the client is restarted or when client network connection that has been disabled is enabled, an authentication request is sent via the switch to Microsoft Internet Authentication Service or Network Policy Server on the authentication server. In addition, the switch requests client authentication based on the maximum connection time set on the switch.
   In this example, a new client (client C) will also be added to the network.
   
6. The switch sends client authentication requests to Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   The switch requests authentication of clients A, B, and C from Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   Clients A, B, and C are authenticated based on their MAC addresses.
   

(2) Isolation process

In the isolation process, client network connections are controlled based on the security policy.

The following figure shows the isolation process.

Figure 14-21 Isolation process

1. Microsoft Internet Authentication Service or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   After clients A, B, and C have been authenticated, Microsoft Internet Authentication Service or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   
2. JP1/CSC - Agent on the authentication server checks the connection control list, and returns the client authentication results^# to Microsoft Internet Authentication Service or Network Policy Server. Microsoft Internet Authentication Service or Network Policy Server then reports the client authentication results to the switch.
   JP1/CSC - Agent on the authentication server checks the connection control list for information about clients A, B, and C. In this case, client A is listed as Permit, and client B is listed as Deny. Because no information about client C is listed in the connection control list, client C is deemed an unregistered asset.
   JP1/CSC - Agent returns the authentication results to Microsoft Internet Authentication Service or Network Policy Server.
   Microsoft Internet Authentication Service or Network Policy Server reports the received authentication results to the switch.
   

   #

   Results of judging whether to permit or deny connection to the corporate network based on the connection control list

3. The switch controls the connection destinations of the clients.
   The switch controls the connection destination for each client based on the authentication results received by Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   Client A is connected to the corporate network, and clients B and C are connected to the unauthenticated network. A message is sent to the clients, notifying them of their connection destination.
   You must now implement security measures on clients B and C, which are connected to the unauthenticated quarantined network.
   

(3) Treatment process

In the treatment process, security measures are implemented on clients whose network connection is controlled. For details about how to implement security measures on clients, see 14.2.5 Implementing security measures on a client.

The following figure shows the treatment process.

Figure 14-22 Treatment process

1. The administrator packages the patch and registers the package in JP1/Software Distribution Manager on the management server.
   The administrator packages the patch to be installed and registers the package in JP1/Software Distribution Manager on the management server.
   
2. JP1/Software Distribution Manager on the management server distributes the patch.
   JP1/Software Distribution Manager on the management server executes a patch distribution job. The patch is transferred to JP1/Software Distribution Client (relay system)^# on the treatment server.
   
3. The patch is remotely installed from JP1/Software Distribution Client (relay system)^# on the treatment server to the clients.
   Because clients in the unauthenticated network are permitted to communicate with JP1/Software Distribution Client (relay system)^# on the treatment server, the patch is installed on the clients from JP1/Software Distribution Client (relay system). Application of the distributed patch implements security measures on the clients.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

Reference note

For a client whose network connection is controlled, the client user can also implement security measures by manually selecting and installing packages registered in JP1/Software Distribution Manager on the management server.

(4) Recovery process

In the recovery process, clients for which security measures have been implemented are judged and authenticated again, and those judged Safe are reconnected to the network.

The following figure shows the recovery process (repeating client judgment).

Figure 14-23 Recovery process (repeating client judgment)

1. Inventory information for the clients is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   After the patch is applied, the latest inventory information for clients B and C is reported to JP1/Software Distribution Manager on the management server via JP1/Software Distribution Client (relay system)^# on the treatment server.
   

   #

   JP1/Software Distribution SubManager 07-50 or later can also be used.

2. JP1/CSC - Manager on the management server judges clients B and C to be safe.
   JP1/CSC - Manager on the management server compares the inventory information against the judgment policy, and finds that all patches are applied. As a result, clients B and C are judged to be Safe.
   
3. JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to permit network connections (for clients B and C).
   Based on the action policy, JP1/CSC - Manager on the management server instructs JP1/CSC - Agent on the authentication server to allow clients B and C access to the network.
   
4. JP1/CSC - Agent on the authentication server updates the connection control list.
   JP1/CSC - Agent on the authentication server updates the connection control list, by implementing an action involving network connection permission.
   The existing connection information for client B in the connection control list is changed from Refuse to Permit.
   Because there is no information about client C in the list, JP1/CSC - Agent registers the MAC address and IP address obtained as part of the inventory information for client C, and sets the connection information for client C to Permit.
   
   The following figure shows the recovery process (repeating client authentication).
   

   Figure 14-24 Recovery process (repeating client authentication)

   

5. Client re-authentication starts.
   Client re-authentication is performed so that client B and client C can be connected to the corporate network.
   When the client is restarted or when client network connection that has been disabled is enabled, an authentication request is sent via the switch to Microsoft Internet Authentication Service or Network Policy Server on the authentication server. In addition, the switch requests client authentication based on the maximum connection time set on the switch.
   If client authentication is initiated based on the maximum connection time set on the switch, client A will be re-authenticated, as will clients B and C.
   
6. The switch sends a client authentication request to Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   The switch requests authentication of clients B and C from Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   Clients B and C are authenticated based on their MAC addresses. However, the MAC address of client A is not re-authenticated because client A has already been successfully authenticated.
   
   The following figure shows the recovery process (reconnecting clients to the network).
   

   Figure 14-25 Recovery process (reconnecting clients to the network)

   

7. Microsoft Internet Authentication Service or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   When authentication of client B and client C has been completed, Microsoft Internet Authentication Service or Network Policy Server on the authentication server requests JP1/CSC - Agent to check the connection control list.
   
8. JP1/CSC - Agent on the authentication server checks the connection control list, and returns the client authentication results to Microsoft Internet Authentication Service or Network Policy Server. Microsoft Internet Authentication Service or Network Policy Server then reports the client authentication results to the switch.
   JP1/CSC - Agent on the authentication server checks the connection control list for information about clients B and C. In this case, clients B and C are listed as Permit, and client B is listed as Deny.
   JP1/CSC - Agent reports the authentication results to Microsoft Internet Authentication Service or Network Policy Server. Microsoft Internet Authentication Service or Network Policy Server then reports the authentication results to the switch.
   
9. The switch switches the connection destinations of the clients.
   The switch decides the connection destination for each client based on the authentication results received by Microsoft Internet Authentication Service or Network Policy Server on the authentication server.
   Clients B and C are connected to the corporate network, and a message is sent to the clients notifying them of their connection destination. If client authentication is performed based on the maximum connection time set on the switch, a message that reports the connection destination network will also be sent to client A.
   

[Contents][Back][Next]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated