1.6.1 General procedure for denying network access for privately-owned personal computers
When a network within an organization can be freely accessed by privately-owned computers, computers accessing the network can cause virus infection or information leakage. To prevent privately-owned computers from accessing the network in your organization, register devices that are allowed network access in a network control list so that only the registered devices can access the network.
By preventing devices not registered in the network control list from accessing the network, you can avoid the risk of security problems caused by privately-owned computers accessing the network.
To deny network access for privately-owned computers:
- 1. Register devices in a network control list.
-
Register devices that are allowed network access in a network control list.
- 2. Deny network access for unregistered devices.
-
Specify a setting to prevent devices not registered in the network control list from accessing the network.
- 3. Check devices accessing the network.
-
Check new devices accessing the network.
- Organization of this subsection
(1) Registering devices in a network control list
Register devices accessing the network within your organization in a network control list. You can view the network control list in the Network Filter Settings view of the Settings module. Make sure that you register all devices in your organization that are allowed network access in the network control list.
- Important
-
Network access control is also applied to network devices such as routers and switches. If network access is disabled for network devices, other devices cannot access the network. For this reason, make sure that all the network devices within the range of network access control are registered in the network control list.
- Tip
-
In the Network Filter Settings view of the Settings module, you can specify whether to allow network access for each device. By default, network access is allowed for devices displayed in the Network Filter Settings view.
- Tip
-
If you enable the network monitor, you can discover devices that are turned on without having to search for devices periodically.
- Devices that are managed by JP1/IT Desktop Management 2
-
Devices that are included as management targets or excluded from being managed are automatically registered in a network control list. These devices are therefore allowed network access. This means that you do not have to add these devices to the network control list.
- Devices that are not managed by JP1/IT Desktop Management 2
-
To register all devices, periodically search the network for devices. By periodically searching the network for devices, you can discover devices that have just been turned on or laptop computers taken out of the office that have just accessed the network.
In addition, by enabling the network monitor for each network segment, you can discover devices currently accessing the network and new devices that have just accessed the network. If you enable the network monitor for each network segment, make sure that you do not change the default network monitor setting (allow network access for newly discovered devices).
Devices that are included as management targets or excluded from being managed are automatically registered in a network control list.
- Important
-
If you replace a network device such as a router with a new one, the MAC address is updated. Network access is therefore disabled for the new network device. If you want the new network device to be allowed network access, register the MAC address of the new network device in advance. Alternatively, fix the IP address of the network device and then register that IP address in a network control list.
Related Topics:
(2) General procedure for denying network access for unregistered devices
After registering all the devices used within your organization in a network control list, specify a setting to prevent devices not registered in the network control list from accessing the network.
- Tip
-
Confirm that no more devices are discovered by a network search or by the network monitor, and that all the discovered devices have been either included as management targets or excluded from being managed. When these are confirmed, you can be sure that all the devices used within your organization have been registered in a network control list.
To deny network access for unregistered devices:
- 1. Enable the network monitor.
-
Enable the network monitor for the network segments within the range of network access control.
- 2. Change the network monitor settings.
-
By default, even when the network monitor is enabled, unauthorized devices are allowed access to the network. To prevent devices not registered in a network control list from accessing the network, set the network monitor settings to Deny Network Access, and then assign the network monitor settings to all the network segments.
- Tip
-
If you specify common network monitor settings in advance that can be assigned to all network segments, you can change the network control settings of all network segments by simply making a change to the common network monitor settings.
Devices that are not registered in the network control list can no longer access the network.
Related Topics:
(3) Checking devices accessing the network
Even when the network monitor settings do not allow network access for newly connected devices, you can still check new devices that have accessed the network.
New devices are discovered as soon as they access a network. You can view the discovered devices in the System Summary panel of the Home module or the Discovered Nodes view of the Settings module. As soon as the new devices are discovered, network access is automatically disabled for these devices. You can see whether network access has been disabled for new devices by checking events.
If a privately-owned computer accessing the network is found, you have to identify the user based on the device information of the discovered computer, and then ask the user for the reason of network access. If the user has accessed the network for non-work-related reasons, instruct the user not to bring a privately-owned computer to work.
(4) Monitoring the network access status of devices in real time
If you are controlling network access of devices with the network monitor enabled, you can discover new devices accessing the network in real time. You can also automatically deploy agents to and install them on the discovered devices. By using this function, you can identify the current status of the devices accessing the network within your organization.
To discover devices by performing a network search, the devices must meet the following conditions at the time when a search is performed:
-
Devices are accessing the network.
-
Devices are turned on.
When devices have not accessed the network for a long time or when devices have been connected to the network but turned off for a long time, such devices are not discovered during a network search.
By enabling the network monitor, you can automatically discover devices when they access the network or when they turn on. In addition, you can automatically include the discovered devices as management targets or deploy agents to them according to the network search settings.
- Important
-
Even when you have specified the network monitor settings to deny network access for unregistered devices, these devices are discovered and agents are deployed to them. Whether devices to which agents have been deployed are allowed or denied network access depends on the settings such as security policies. Check the network access status of devices by using a device list in the Inventory module.
To monitor the network access status of devices used within your organization in real time, prepare a computer for each network segment that meets all of the following conditions:
-
An agent has been installed.
-
The network monitor is enabled.
-
The computer is operating 24 hours.