1.6 Controlling network access of devices
Virus infection or information leakage could occur when a network within an organization is accessed by privately-owned computers or computers that do not have adequate security protection. Administrators who are responsible for managing devices used within their organization must control network access of devices to prevent unauthorized network access and to immediately disable network access for devices that do not have adequate security protection.
With JP1/IT Desktop Management 2, you can use the following functions to control network access of devices:
-
Specify devices to be denied network access (blacklist method).
If new devices are allowed access to the network, you can use this function to disable network access for only the devices that have security flaws. This function allows you to control network access of computers by disabling network access for the specified computers.
-
Specify devices to be allowed network access (whitelist method).
Use this function if you want to deny network access from privately-owned computers in your organization. Because you can disable network access for devices other than the specified devices, you can maintain security more effectively.
-
Disable network access for devices or allow network access to devices at any given time.
While applying the blacklist or whitelist method, use this function to disable network access for only the devices that are found to have security flaws.
-
Use a command to block or enable network access of devices.
Use this function when you want to execute a command from the management server or an environment other than that of the management server to block network access.
- Important
-
Before using the network monitoring function, make sure that you are fully aware of the devices that are allowed network access and those that are denied network access. If network access control is applied incorrectly, network access control can cause unexpected business interruptions, for example, by disabling network access for devices used for business operations.
- Important
-
If you are implementing network access control by using the whitelist method, remember to register the devices that are not managed by JP1/IT Desktop Management 2 (such as routers, switches, and network printers) as the devices that are allowed network access. In particular, if network devices, such as routers and switches, are not allowed network access, any subordinate devices that are connected to these network devices cannot access the network.
- Important
-
We recommend that you manually register, in a network control list, the IP addresses of devices that are important for business operations, including routers, printers, and servers. In this way, you can prevent these devices' network access from being disabled due to automatic updating of the network control list. If you enter a MAC address in a network control list, the entered MAC address might be deleted from the list when device information is updated. For this reason, leave the MAC Address field blank.
Control network access of devices by using the Inventory module and the Settings module.
The following figure shows a concept of how to control network access of devices:
To control network access of devices, you have to deploy agents to devices, with the network monitor enabled for each network segment. In this way, network access is controlled according to the network monitor settings assigned by the management server. In addition, by using a network control list, you can specify whether to allow or deny network access for each device.
For example, if you want to deny network access from privately-owned computers, first register the devices within your organization that are allowed network access in the network control list. Then, edit the network monitor settings to deny network access from new devices. In this way, you can maintain security of systems within your organization by automatically disabling network access for privately-owned computers.
Note that you cannot disable network access for management servers, relay systems, or the computers on which network monitor agents are installed.
Note that you cannot disable network access for management servers
This section explains how to use JP1/IT Desktop Management 2 to perform the operations described below. See the description of the operation that suits your purpose.
- Deny network access from privately-owned computers.
-
You allow only the specified computers to access the network.
- Disable network access for devices that have been infected with viruses.
-
You can disable network access for virus-infected devices. After taking proper anti-virus measures, you can enable network access for these devices.
- Automatically control network access for devices in violation of a security policy.
-
Network access is automatically disabled or enabled according to the status of computers determined based on a security policy.
- Temporarily allow network access for specified devices.
-
When network access for new devices is denied, you can allow only the specified computers to temporarily access the network.
- Use a command to block network access of devices.
-
By executing a network access control command from the management server or an environment other than that of the management server, you can automatically block or enable network access of devices.
- Important
-
On agents for UNIX, automatic control of enabling or disabling network access cannot be used because the network monitor cannot be enabled and the security status cannot be determined. You need to enable or disable network access on demand.
Related Topics:
-
1.6.1 General procedure for denying network access for privately-owned personal computers
-
1.6.4 General procedure for temporarily allowing network access for specified devices