Job Management Partner 1/Client Security Control Description, User's Guide and Operator's Guide

14.2.4 Managing the connection control list

A quarantine system linked to an authentication server controls network connections from clients based on the connection control list of JP1/CSC - Agent.

This subsection describes the following aspects of the connection control list:

The contents of the connection control list

The timing of updates to the connection control list

Precautions regarding controlling network connections from the connection control list

Commands for managing the connection control list

Editing the connection control list

Organization of this subsection

(1) Types of information registered in the connection control list

(2) When the connection control list is updated

(3) Notes on network connection control based on the connection control list

(4) Commands for managing the connection control list

(5) Editing the connection control list

(1) Types of information registered in the connection control list

Information is registered or updated in the connection control list whenever an action relating to network connection control is implemented. When a client is authenticated, the client's connection destination is determined by the contents of the connection control list.

The following information in the connection control list can be updated by actions.

Network connection information
The status of the network connection, as Permit, Deny, or Refuse in the emergency.

MAC address
The MAC address for managing the client.

IP address
The IP address for sending notification messages to the client.

The following table lists the contents of the connection control list that are registered or updated by certain actions.

Table 14-4 Contents of the connection control list registered or updated by actions

No. Action Contents of the connection control list

Registered as Permit Registered as Deny Registered as Refuse in the emergency Not registered

1 Permit network connections Connection information is unchanged.
If the IP address has changed, the new address is recorded. Connection information is changed from Deny to Permit.
If the IP address has changed, the new address is recorded. Connection information is changed from Refuse in the emergency to Permit.
If the IP address has changed, the new address is recorded. The MAC address and IP address are added, and the connection information is registered as Permit.

2 Deny network connections Connection information is changed from Permit to Deny.
If the IP address has changed, the new address is recorded. Connection information is unchanged.
If the IP address has changed, the new address is recorded. Connection information is unchanged.
If the IP address has changed, the new address is recorded. The MAC address and IP address are added, and the connection information is registered as Deny.

3 Implement emergency denial of network connections Connection information is changed from Permit to Refuse in the emergency.
If the IP address has changed, the new address is recorded. Connection information is unchanged.
If the IP address has changed, the new address is recorded. Connection information is unchanged.
If the IP address has changed, the new address is recorded. The MAC address and IP address are added, and the connection information is registered as Refuse in the emergency.

No.	Action	Contents of the connection control list
Registered as Permit	Registered as Deny	Registered as Refuse in the emergency	Not registered
1	Permit network connections	Connection information is unchanged. If the IP address has changed, the new address is recorded.	Connection information is changed from Deny to Permit. If the IP address has changed, the new address is recorded.	Connection information is changed from Refuse in the emergency to Permit. If the IP address has changed, the new address is recorded.	The MAC address and IP address are added, and the connection information is registered as Permit.
2	Deny network connections	Connection information is changed from Permit to Deny. If the IP address has changed, the new address is recorded.	Connection information is unchanged. If the IP address has changed, the new address is recorded.	Connection information is unchanged. If the IP address has changed, the new address is recorded.	The MAC address and IP address are added, and the connection information is registered as Deny.
3	Implement emergency denial of network connections	Connection information is changed from Permit to Refuse in the emergency. If the IP address has changed, the new address is recorded.	Connection information is unchanged. If the IP address has changed, the new address is recorded.	Connection information is unchanged. If the IP address has changed, the new address is recorded.	The MAC address and IP address are added, and the connection information is registered as Refuse in the emergency.

(2) When the connection control list is updated

The connection control list is updated when an action is implemented as a result of a security level judgment. However, clients cannot notify the management server of the latest inventory information, since they are unable to connect to the network until authenticated by the authentication server.

The following figure shows the timing at which the connection control list is updated.

Figure 14-26 Timing of updates to connection control list

As shown above, the connection control list is updated with the latest inventory information after the client is connected to the network.

Note

At the next authentication, network connection control is performed based on the latest inventory information.

(3) Notes on network connection control based on the connection control list

Control of network connection from a client based on the connection control list is performed when the client is successfully authenticated by IEEE 802.1X or MAC authentication.

After the client has been authenticated, network connection control is automatically applied to the client user. Therefore, we recommend that you specify the following two settings for client user notifications:

Set up an action policy to send notification messages to client users.

Set up an action policy to send messages alerting users that security measures must be implemented, when the client security level is Warning or Caution. For example, if you want to send notification messages to clients whose security level is Caution, specify the following settings in the action policy:

Select Send message to user in the Notification to PC user area.

Select Permit connection in the Control PC network connection area.
Remember to set the action policy to permit connections. If you fail to do so, the action policy will not update the connection control list.

For details, see 6.10 Setting an action for each security level, and 6.12 Editing a client user notification message.

Set the message notification information in JP1/CSC - Agent setup.

In the action policy's message notification information, set message notification to Notify, and set messages informing users that their connection destination has been changed and what action they should take.

For details, see 13.2.2(4)(b) Operations that can be performed on the IAS page.

You cannot use message notification when JP1/CSC - Agent is running on Windows Server 2008.
  
Note

Do not set message notification information in JP1/CSC - Agent setup if your network environment includes a DHCP server.

By default, message notification is performed using the IP address of the client. If the network environment includes a DHCP server, messages may inadvertently be sent to the wrong client.

(4) Commands for managing the connection control list

The following table lists the commands used to manage the connection control list.

Table 14-5 Connection control list management commands

No. Command Description

1 cscrexport Exports a connection control list to a CSV file.
You can use the exported file to check the contents of the connection control list and edit client information.

2 cscrimport Imports an exported file created by the administrator, or a connection control list exported by the cscrexport command, into JP1/CSC - Agent.
Use this command to import a connection control list you edited as a CSV text file, or to restore the connection control list from a backup.

3 cscrdelete Deletes client information from the connection control list.
Use this command when you want to remove a client from the network.

For details about how to use these commands, see 15. Commands.

No.	Command	Description
1	cscrexport	Exports a connection control list to a CSV file. You can use the exported file to check the contents of the connection control list and edit client information.
2	cscrimport	Imports an exported file created by the administrator, or a connection control list exported by the cscrexport command, into JP1/CSC - Agent. Use this command to import a connection control list you edited as a CSV text file, or to restore the connection control list from a backup.
3	cscrdelete	Deletes client information from the connection control list. Use this command when you want to remove a client from the network.

(5) Editing the connection control list

Ordinarily the connection control list is updated by JP1/CSC - Agent on the authentication server. However, administrators can also create and edit connection control lists as text files in CSV format.

When you have created a connection control list, you can import the data using the cscrimport command. For details about the connection control list and its format, see 16.16 Import file.

[Contents][Back][Next]

[Trademarks]

All Rights Reserved. Copyright (C) 2009, 2011, Hitachi, Ltd.
Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated