6.12 Network Control Policies
Network control policies manage client machine communications with unauthorized computers, block malicious or download-related ports, prevent virus intrusion, and safeguard internal network security.
These policies apply to computers and are ineffective in user mode. Policy attributes include:
| Policy Attribute |
Description |
| Communication Direction |
Three options: Bidirectional, Outbound, Inbound. Outbound/Inbound is relative to the client machine; outbound means the client initiates the connection. |
| Port Range |
Same as in traffic control policies. |
| Network Address Range |
Same as in traffic control policies. |
| Is Target a Client? |
Determines whether the remote machine is a client. Only effective if checked; otherwise, this check is ignored. |
| Same Group |
Controls communication between client machines in the same group. "Same group" refers to the group of the client applying the policy, excluding parent or subgroups. |
| Specific Group |
Controls communication with client machines in a specified group. Only effective if checked. |
| Belonging Group |
Specifies the group of the target machine. Required to enable the Include Subgroups option. |
| Include Subgroups |
Determines whether subgroups of the specified group are included. |
| Application |
Specifies the application allowed to access the network. |
Policy Example 1
To protect internal network security, a company may need to block certain malicious or download-related ports. This can be achieved using a network control policy.
- Policy: Mode = Block
- Settings: Specify the target address range and ports to block, e.g., port 80 or port 21.
- Blocking port 80 prevents clients from accessing websites.
- Blocking port 21 prevents FTP downloads.
Policy Example 2
Some departments may have critical computers that should not be accessed by machines outside the department. Network control policies can enforce this.
Policy Steps:
- Create a policy to Block the address range: Local Area Network.
- Create a policy to Allow communication where: Is Target a Client + Same Group.
Effect: Machines in the department can only communicate within their group. Before applying this policy, all departmental machines must be placed in the same group. Any machines outside the department without the client installed should have their IPs added to the allow policy.
Policy Example 3
Network control policies can be combined with access detection to prevent external computers from communicating with internal machines.
- For client-installed internal machines: Set network control policies to allow communication only with corporate computers. External machines cannot access these clients.
- For internal machines without the client: Mark them as Protected in access detection and enable access control. External machines will be considered unauthorized and cannot communicate with these protected machines.
Don't see what you're looking for?
