1.6.3 General procedure for automatically controlling network access of devices in violation of a security policy
Devices in violation of a security policy do not have adequate security protection. If you allow such devices to continue accessing the network, problems such as information leakage, invalid operation, or virus infection can occur due to security flaws.
By specifying the network control conditions in a security policy, you can automatically disable or enable network access for computers according to the status of computers determined based on the security policy. This function is useful when you want to deny network access for computers that lack security protection and prevent the computers from accessing the network until adequate security protection is implemented on the computers.
To automatically control network access of a device in violation of a security policy:
- 1. Specify the network control settings in a security policy.
-
To automatically disable network access for computers that lack security protection, specify the security configuration items, message notification to a user, and the network connection control settings in a security policy.
- 2. Identify the device for which network access has been disabled.
-
Network access is automatically disabled for a device according to the status of the device determined based on the security policy. Identify the device for which network access has been disabled, so that you can contact the user of the device and instruct the user to take appropriate measures.
- 3. Implement security protection on the device in violation of the security policy.
-
Instruct the user of the device to implement security protection on the device. When the security status of the device is determined as satisfactory, network access is automatically enabled for the device.
You can automatically enable or disable network access for devices according to the status of devices determined based on the security policy.
Related Topics:
- Organization of this subsection
(1) Specifying network control settings in a security policy
To automatically disable network access for computers that lack security protection, specify the network control settings in a security policy. In the network control settings, you can specify whether to allow or deny network access for computers according to the violation level determined for each computer. You can also specify a condition for disabling network access for computers, such as a time limit (in days) to correct the violation.
For example, by using the automatic message notification function, you can have a message sent to a user after a routine security check to prompt the user to implement security protection measures on the user's computer. If the user continues to ignore this message, you can disable network access for the user's computer. You can perform this operation by specifying a security policy as follows:
-
Specify the security configuration items.
Specify mandatory security requirements. Network access is disabled for any computers in violation of these requirements. In addition, for each requirement, set violation levels that determine judgment results.
-
Specify a message to be sent to users.
Set the violation level that triggers message notification and specify the text of a message.
- Tip
-
Write a message stating that network access is disabled if the problem persists.
-
Specify the network connection control settings.
Set a violation level that causes network access to be disabled for a computer. If you want to disable network access for computers only when the violation persists for several days in a row, set a time limit (in days) in Disconnect Condition. You do not have to specify Disconnect Condition if you want to immediately disable network access for computers determined to be lacking security protection.
When security protection measures have been implemented on a computer that was previously in violation of a security policy and the computer is determined to be Safe, network access is automatically enabled for the computer.
- Important note
-
If you have manually disabled network access for a computer, network access is not automatically enabled for that computer even when the computer is determined to be Safe after implementation of proper security protection measures. If you want to automatically enable network access for a computer when the computer is no longer in violation of a security policy, do not manually disable network access for the computer.
After you specify a security policy, you can control network access of computers according to the security status determined for the computers.
- Tip
-
For security protection, even when network access is disabled for a computer, you can allow that computer to access certain servers by settings.
Related Topics:
(2) Identifying the devices for which network access has been disabled
By specifying the message notification setting in a security policy, you can automatically send a message to a computer in violation of a security policy and prompt the user to implement security protection measures on the user's computer. In addition, by specifying the network control settings in a security policy, you can automatically disable network access for a computer in violation of the security policy.
When a computer is in violation of a security policy, a message is sent to the user of that computer after a routine security check. If the user continues to ignore this message and takes no measures to implement security protection on the computer, network access is automatically disabled for the computer according to the network control settings.
If a user finds out that network access has been disabled for the user's computer and contacts you (administrator) for assistance, you need to instruct the user to implement security protection measures on the user's computer. By identifying the status of the user's computer, you can give clearer instructions on what the user has to do to implement proper security protection measures on the user's computer.
To identify the computers for which network access has been disabled, display the devices whose Connection Status is ![[Figure]](GRAPHICS/ZU990107.GIF)
in the Computer Security Status view of the Security module. By using the filtering function, you can quickly find the computer you are looking for. By identifying
the status of the device for which network access has been disabled, you can understand the security flaws of the device.
- Tip
-
You (administrator) can also have email notification sent out to you to inform you that network access has been disabled for a device. To enable email notification, in the Event Notifications view of the Settings module, select the Warning and Security check boxes. When you select these check boxes, email notification is sent out not only when network access is disabled for a device but also when other warning events occur.
After identifying what the problem is, ask the user to take appropriate measures.
Related Topics:
(3) Implementing security protection measures on a device in violation of a security policy
After appropriate measures are taken to correct the security flaws found in a device for which network access has been disabled due to violation of a security policy, network access is automatically enabled for the device.
When, according to a request made by an administrator or based on the content of a message, a user corrects all the problems that have led the violation of the security policy, the violation level of the computer becomes Safe. When the computer is determined as Safe, network access is automatically enabled for the computer.
Related Topics: