2.8.13 Registering devices that are accessible to blocked devices
Some devices remain accessible to a device that has been blocked from the network by the network monitor feature: The computer in the same network segment that has the network monitor enabled, and any computers registered in Exclusive Communication Destination for Access-Denied Devices.
For example, if you register a server that provides security measures in Exclusive Communication Destination for Access-Denied Devices, a device that is blocked after being deemed a security risk can connect to the server to update its security.
The following figure shows an example in which a server that implements security measures is registered in Exclusive Communication Destination for Access-Denied Devices. Note that management servers and site servers are automatically registered in Exclusive Communication Destination for Access-Denied Devices.
![[Figure]](GRAPHICS/ZU140006.GIF)
In Exclusive Communication Destination for Access-Denied Devices, only register computers that are fully secure and can communicate with quarantined devices without introducing a security risk.
- Important note
-
When controlling network access based on the results of security assessment, do not remove the management server from Exclusive Communication Destination for Access-Denied Devices. If you do, you will be unable to judge the security status of devices, preventing network access from being controlled on this basis. If you inadvertently remove the server, add it again manually.
- Tip
-
You can use the remote control feature with blocked devices by adding the computer on which you use the controller to Exclusive Communication Destination for Access-Denied Devices.
The following table describes the cases for which you are required to register a computer in Exclusive Communication Destination for Access-Denied Devices.
|
Cases |
Settings that must be specified in Exclusive Communication Destination for Access-Denied Devices# |
Problems that occur if the settings to the left are not specified |
|---|---|---|
|
If using a DNS server to resolve names |
Destination IP Address: The IP address of a DNS server Communication Protocol: Not required Destination Port Number: Not required Source IP Address: Not required Source Port Number: Not required |
Devices that have been blocked from the network will fail to resolve the names of other computers, preventing such devices from communicating with other computers by using host names. |
|
If using NetBios broadcasts to resolve names |
Destination IP Address: Broadcast address (for example, 192.168.1.255) Communication Protocol: UDP Destination Port Number: 137 Source IP Address: Not required Source Port Number: Not required |
Name resolution will fail, and communications with computers on which Network Monitor is installed will not be possible. |
|
If Network Monitor is installed on a DHCP server |
Destination IP Address: 0.0.0.0 Communication Protocol: UDP Destination Port Number: 68 Source IP Address: Specify a subnet mask in CIDR format (for example, 255.255.255.0/24) Source Port Number: 67 |
IP address assignment fails, and devices to which no IP address is assigned will be unable to access the network. |
#: These settings are only examples. Be sure to specify the settings required for your particular environment.