Hitachi

Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Overview and System Design Guide

2.8.14 Automatically controlling network access

In an environment with the network monitor enabled, devices are automatically subjected to network access control based on a number of factors, including the results of assessment against a security policy and the nature of the device information registered for the device. For example, a computer that violates a security policy might be automatically blocked from the network, and then automatically unblocked after the issue is resolved.

Levels of priority apply to network access control settings. If you manually deny a device network access, and a situation later arises in which the device would be automatically granted access to the network, the device remains blocked. If you want to prevent a particular computer from connecting to the network in any circumstances, set it to Deny manually to prevent it from automatically being permitted network access at a later stage. For details about how to manually control network access, see 2.8.17 Manually controlling network access.

The following table describes the situations in which the features of JP1/IT Desktop Management 2 might automatically control the network access of a device.

Situation in which network access is controlled

Description

A device violates a security policy

If you define a security policy that denies network access to devices with a specific danger level in Action Items - Network Access Control, such devices are automatically blocked when assessed against the security policy. If the security status of a blocked computer later improves, it is judged as being compliant with the security policy and is automatically permitted network access again.

A hardware asset is added or edited

If you add a hardware asset in the Hardware Assets view of the Assets module that has an IP address or a MAC address, the device is registered in the network control list. If you change the IP address or MAC address in asset information, the change is reflected in the network control list. Network access is similarly permitted for imported hardware assets.

When a hardware asset is associated with a device, editing the hardware asset information does not result in changes to the network control list because IP addresses and MAC addresses are collected from the device.

Note that if you change the status of the hardware asset to Disposed or delete the hardware asset information altogether, the corresponding entry is removed from the network control list.

If you edit a MAC address in hardware asset information when the network control setting for the same MAC address already exists, the change is not applied to the network control list.

If automatic updating for only additions is enabled, the new setting is added while the network control settings before the change remain. In the remaining network control settings, Confirmation Choices is set for Automatic Updates Effect (Only Add Operations Enabled).

For details about how to set automatic updating, see the description of the procedure for editing the automatic update of the network filter list in the Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Administration Guide.

A device enters the allowed time period for network access

If you permit a device to connect to the network within a specific time in the network control list, the device is automatically permitted network access when the specified start date/time arrives. When the end date/time arrives, the device is automatically blocked from the network again.

A discovered computer is designated as a management or exclusion target

When you designate a newly discovered computer as a management target or exclusion target, that computer is automatically granted network access. Even if network access is not permitted in a network segment, a discovered device that is designated a management or exclusion target is able to access the network.

However, when a device discovered in a search is automatically designated a management target, it is subjected to network access control according to the network monitor settings.

A new device connects to the network

When network monitor settings are assigned to a network segment, new devices that connect to the network are automatically subjected to network access control based on the network monitor settings.

Device information is updated or deleted

If the MAC address or IP address of a device changes as a result of an update to device information, the corresponding change is automatically made to the network control list#.

If automatic updating for only additions is enabled, the new setting is added while the network control settings before the change remain. In the remaining network control settings, Confirmation Choices is set for Automatic Updates Effect (Only Add Operations Enabled).

For details about how to edit the automatic update settings, see the description of the procedure for editing the automatic update of the network filter list in the Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Administration Guide.

Information is updated for a network connection device

With all automatic updates enabled, the system determines that the network adapter information has been deleted and deletes the MAC address of the network adapter from the network control list (unless Not Permit is set) in the following cases:

  • The network is disabled (by, for example, disabling the local area connection by using My Network Places).

  • The network cable is removed from the device.

  • A wireless LAN card is removed.

If automatic updating for only additions is enabled, the new setting of the network adapter is added while the network adapter settings before the change remain. In the remaining network adapter settings, Confirmation Choices is set for Automatic Updates Effect (Only Add Operations Enabled).

For details about how to edit the automatic update settings, see the description of the procedure for editing the automatic update of the network filter list in the Job Management Partner 1 Version 10 Job Management Partner 1/IT Desktop Management 2 Administration Guide.

If the network adapter of a device is frequently disabled, register the device in the network control list with the following information:

  • Judgment Form: IP Address

  • MAC Address: Do not enter

  • IP address: The IP address of the device

  • Connection to Network: Permit

Fill in the other items as needed.

#: For details about the updates of the network control list, see 2.8.15 Automatic updating of the network control list.

Important note

While the network monitor is disabled, changes are still made to the settings that determine whether a device has network access. However, devices are not subject to network access control. Changes only take effect when the network monitor is enabled again.

Tip

An event is generated when a device is denied or permitted network access. You can also configure the system to notify the administrator by email.

Related Topics:

To Page Top

Trademarks

All Rights Reserved. Copyright (C) 2015, Hitachi, Ltd.

Copyright, patent, trademark, and other intellectual property rights related to the "TMEng.dll" file are owned exclusively by Trend Micro Incorporated.