Hitachi

JP1 Version 12 JP1/IT Desktop Management 2 Overview and System Design Guide


2.8.10 Managing network access using a whitelist

You can use a whitelist approach to managing network access, whereby only the devices you register in a list are able to connect to the network. We recommend that you use this approach when you need to provide a more robust security environment.

The following figure shows an overview of network access control using a whitelist approach.

[Figure]

1. Register devices for which you want to permit network access.

In the Network Access Control - Network Filter Settings view of the Settings module, register the devices for which you want to permit network access. Be sure to register management servers, computers with the network monitor agent installed, and other devices that require a persistent connection to the network. Newly added devices are automatically added to the network control list. For details about how to manage the network control list, see 2.8.8 Managing the network control list.

2. Block network access by devices not registered in the network control list.

In the Network Access Control - Assign Network Access Control Settings view of the Settings module, assign a network monitor setting to all network segments that denies network access. Any unlisted devices that attempt to connect to the network will be blocked. For details about network monitor settings, see 2.8.7 Managing network monitor settings.

As a result, only permitted devices are able to connect to the network. If a non-permitted device attempts to connect to the network, it is blocked and an event is generated.

Tip

If you have configured the system to block network access by new devices in the Network Access Control view of the Settings module, a new device is blocked when it attempts to connect to the network. In this case, you can automatically grant network access to new computers by installing the agent program on the computer and assigning a security policy whose violation level is configured to permit network access in the Network Connection Control settings under Action Items. When a computer with the agent installed connects to the network, its ability to access the network is determined based on the result of a security assessment. If it is permitted network access as a result, the computer is automatically added to the network control list.

Important

When using the whitelist approach to manage network access, remember to permit network access by routers, switches, network printers, and other devices not directly managed by JP1/IT Desktop Management 2. A lack of network connectivity for such devices also prevents any downstream devices from accessing the network.

To use the whitelist approach to manage network access, change the automatic update setting of the network control list if necessary. By default, automatic updating for only additions is enabled.

If you want to automatically prevent a network connection device (such as a NIC) from being misused in the future, enable all automatic updates. However, if one of the conditions below exists, the system assumes that the network connection device (such as a NIC) has been removed, and deletes the device from the network control list. As a result, the device can no longer access the network.