HP Access Control Client Software 124

Designing Access Controls

Comprehensive Security Policy

The Process of Designing Access Control Security

This chapter outlines a step-by-step process for designing your access control security. It explains each step in-depth, helping you to understand all the factors you must consider when completing that step.

1.Choose the access control methods.

2.Make decisions about remote access (VPN).

3.Choose the endpoint integrity deployment method.

4.Choose the endpoint integrity testing method.

5.Choose Remote Authentication Dial-In User Service (RADIUS) servers.

6.Add ProCurve Identity Driven Manager (IDM).

7.Select an Extensible Authentication Protocol (EAP) method for 802.1X.

8.Finalize security policies.

9.Lay out the network.

As you go through each step in the process, you will return to the factors you considered in Chapter 2: “Customer Needs Assessment.” Some of these factors are technical; others are business issues. A well-designed, comprehensive security policy takes both into account.

Example Network

To illustrate which decisions need to be made and which aspects of your network need to be considered for each step, this chapter presents a hypothetical university. ProCurve University (PCU) enrolls approximately 20,000 students and employs approximately 4000 faculty, administrative, and support staff members.

Figure 3-1is a simplified diagram of the PCU campus, showing the areas where the PCU IT staff must provide network access: the open-air plaza, the administration building, the engineering department with its specialized resources, the classrooms, the dormitories, and the library.

3-8

Contents

ProCurve Solutions Page Page Page 1 Access Control Concepts 2 Customer Needs Assessment Determine Risk Tolerance Evaluate the Existing Network Environment 3 Designing Access Controls Page Page 4 Other Resources AAppendix A: Glossary Index Addendum to the ProCurve Access Control Security Design Guide Page Page Access Control Concepts Page Introduction to Access Control Data Applications Blocks access from unauthorized users at each network entry Eliminates frustrations created by piecemeal Page Network Access Control Technologies Authentication, authorization, and accounting Endpoint integrity Authorization Authentication Factors Something the user knows has Authentication Protocols N o t e Page Page Access request generator Access decision enforcer Translator Examples of RADIUS Servers Microsoft IAS (Windows Server Juniper Steel-Belted Radius Local Policy Repository Remote Policy Repository Figure 1-1.Network Access Control Architecture MAC authentication (MAC-Auth) Web authentication (Web-Auth) Process Figure 1-2.The MAC-AuthProcess Local MAC-Auth Page Figure 1-3.The Web-AuthProcess Page Figure 1-4.The 802.1X Process ■MAC-Auth—None Page Page EAP-Message Digest 5 (MD5) Lightweight EAP (LEAP) EAP-Tunneled TLS (TTLS) Protected EAP (PEAP) EAP-Generic Token Card (GTC) RADIUS Messages Access request challenge Access reject Page Page Page Page Page Management Default Unauthorized User Server Test Infected Page ■Security Settings ■Software ■Operating System ■Browser Security Policy Pre-connect Post-connect Permanent Agents Minimal impact on users Control Deployment Memory consumed on Transient Agents Ease of deployment Minimal impact on users and Unsupported Requirements on the application Combined Solutions Transient-agent Agentless Unknown Healthy Check-up DHCP Inline WAN A wireless network ProCurve NAC Process for 802.1X Quarantining (Endpoint Integrity Only). The Page Process for DHCP Quarantining Page Page Page Process for Inline Quarantining Page Process for 802.1X Quarantining Figure 1-5.The User Authenticates and Is Placed in the Test VLAN Figure 1-6.The NAC 800 Tests the User and Forces the User to Re-authenticate Figure 1-7.The User Re-authenticatesand Is Placed in the Appropriate VLAN ProCurve IDM Page Page Customer Needs Assessment Page Page Page Types of Users Page Page Table 2-1.Network Users Types of Connections Table 2-2.Network Users Page Figure 2-1.Wireless and Wired Zones Private wired zone Private wireless Public wireless Private remote Figure 2-2.Access Control Zones Page Determine Risk Tolerance Sarbanes-Oxley Health Insurance Portability and Accounting Act Gramm-Leach-Bliley Act (GLBA) ■Federal Information Security Management Act of (FISMA) Payment Card Industry Data Security Standard (PCI Lagging organizations Normative Vulnerability to Attacks Page Adware Spyware Rootkits Trojan Horses Viruses Worms ProCurve’s Virus Throttle™ Intrusion detection system (IDS)/intrusion prevention system ProCurve Network Immunity Evaluate the Existing Network Environment Table 2-3.Recording Information about Network Switches Figure 2-3.The AP as a Supplicant Table 2-4.Recording Information about APs Page Table 2-5.Recording Information about Workstations and Laptops Table 2-6.Recording Information about Other Endpoints Page Figure 2-4.Sample Network Diagram Determine Your Endpoint Integrity Requirements ■Browser Security Policy—Windows ■Security Settings—Windows ■Operating System—Windows Intranet Trusted Restricted Internet High Table 2-7.Default Settings for Internet Explorer Zones Page Networks to which the endpoint Security settings for macros Local security settings The Human Factor Page Page Page Designing Access Controls Page Page Page Comprehensive Security Policy Page Goals Audience Roles and responsibilities Business Page Figure 3-1.Diagram of the PCU Campus Dormitories Classrooms Plaza Remote access Figure 3-2.PCU Campus Zones Figure 3-3.Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control Methods Page Table 3-2.Security Concerns by Zone Page Page Table 3-3.Wireless Security Public Wireless Zones Private Wireless Zones Credentials Page Table 3-5.Level of Technical Knowledge Access Control Method by User Sophistication Level Access Control Method by User Type and Sophistication Access Control Method by Administrative Workload Table 3-9.Endpoint Compatibility of Access Control Methods Table 3-10.Configuration of PCU’s Endpoints Table 3-11.Access Control Method by Endpoint Capabilities Table 3-12.Administrative Control Levels Table 3-13.Access Control Method by Administrative Control Level Table 3-14.Authentication Method by Administrative Control Table 3-15.Network Access Control Capabilities of ProCurve Edge Switches Table 3-17.Access Control Method by Existing Infrastructure Page Table 3-18.Network Access Control Capabilities of ProCurve Edge Switches Table 3-19.Access Control Methods by Feasibility Table 3-20.Preliminary Decisions for the Access Control Method Table 3-21.Preliminary Decisions for the Access Control Method Table 3-22.Access Control Methods for Each Zone Make Decisions about Remote Access (VPN) Table 3-23.Disadvantages of Remote Access Table 3-24.Advantages of Remote Access Table 3-25.Options for VPN Protocols Page Table 3-26.Selecting VPN Options Based on Security Needs Page Table 3-27.Selecting VPN Options Based on User Type and Sophistication Page Table 3-28.Selecting VPN Options Based on Administrative Workload and IT Budget Table 3-29.Endpoint Compatibility for Remote Access Table 3-30.Selecting VPN Options Based on Endpoint Table 3-31.Selecting VPN Options Based on Existing Network Infrastructure Table 3-32.Preliminary Decisions for VPN Options Table 3-33.PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Page Table 3-34.Options for Endpoint Integrity Deployment Method by Access Control Method Table 3-35.Deployment Method by Access Control Method Page Table 3-36.Security Level of Deployment Methods Table 3-37.Deployment Method by Security Table 3-38.Deployment Method by Existing Network Infrastructure Table 3-39.Deployment Method by Connection Type Table 3-40.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-41.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-42.Deployment Method by Zone Choose Endpoint Integrity Testing Methods Table 3-43.Summary of Testing Methods Automatically before Automatically at initial Figure 3-4.InstallShield Wizard for the NAC EI Agent Manually Page Configured in cluster Submitted by the end-user C a u t i o n Page Page Page >Testing methods Page Page Table 3-44.Testing Method by Control over Endpoints Example Table 3-45.Testing Method by Administrative Control Table 3-46.Testing Methods by Post-ConnectTesting Table 3-47.Testing Method by Post-ConnectTesting Table 3-48.Testing Method by User Sophistication Table 3-49.Testing Methods for User Sophistication Table 3-50.Testing Methods by Administrative Workload Table 3-51.Testing Methods for Administrative Workload Table 3-52.Testing Method by Network Overhead Table 3-53.Preliminary Decisions for Testing Methods Table 3-54.Preliminary Decisions for Testing Method Choose RADIUS Servers Figure 3-8.Network Authentication Architecture Authenticate Authorize Create accounting records Table 3-55.General Combination Integrated Table 3-56.Integrated Server Combination server/proxy Table 3-57.Integrated Server/Proxy Combination Integrated server/proxy to turnkey Table 3-59.Integrated Server/Proxy to Turnkey Server Combination Fully integrated Table 3-60.Fully Integrated Combination Table 3-63.Number of Users for Access Control Component Combinations Table 3-64.Scalability of Access Control Component Combinations Table 3-65.Access Control Component Combinations Single-site autonomous fully distributed centralized Table 3-66.Access Control Architecture Options for Component Combinations Table 3-67.RADIUS Server Locations (Centralizing Policies) Table 3-68.RADIUS Server Locations (Eliminating Inter-SiteTraffic) Table 3-69.RADIUS Server Locations (Reducing Inter-SiteTraffic) Table 3-70.RADIUS Server Locations for PCU Providing Redundancy Improving Performance Page Page Page Page Page Table 3-71.General Combination for the NAC Table 3-72.Integrated Server/Proxy for the NAC Table 3-73.Turnkey Server Combination for the NAC Table 3-74.Integrated Server/Proxy to Turnkey Combination for the NAC Page Add ProCurve IDM Page Page Select an EAP Method for Figure 3-10.EAP Method Decision Flowchart Page Table 3-75.EAP Methods Supported by 802.1X Supplicants Table 3-76.EAP Methods Supported by RADIUS Servers Page Finalize Security Policies Table 3-77.Final Security Policy by Zone Table 3-78.Example Security Policy by Zone Page Table 3-79.Access Profiles assignment Table 3-80.Dynamic VLANs Table 3-81.Dynamic VLANs for PCU Allowed resources Table 3-82.Resources by Entire VLAN Table 3-83.Resources Table 3-84.PCU Resources by VLAN Table 3-85.PCU Resources Table 3-86.Resources Allowed in Access Profiles Table 3-87.Resources Allowed in PCU Access Profiles Rate limits and QoS Table 3-88.Resources Allowed in Access Profiles Access Policy Group Rules Normal access rights Limited access Table 3-89.Access Policy Group Rules Table 3-90.Sample Access Policy Group Rules for PCU Page Table 3-91.RADIUS Attributes in Access Requests Table 3-92.Authentication Protocols for My Policies Table 3-93.Dynamic Settings for My Policies Domains Hardware Workgroups Tests for Minimal Endpoint Integrity. All endpoints should be free of Table 3-94.Tests for Minimal Endpoint Integrity Table 3-95.Tests for Minimal Endpoint Integrity Table 3-96.Tests for Medium Endpoint Integrity Page Table 3-98.Macro Security Tests Table 3-99.Other Tests for Hotfixes Table 3-100.Windows Automatic Updates Table 3-101.Tests for Applications Table 3-102.Tests for Services Table 3-103.Tests for Shared Connections Table 3-104.Tests on Mac Airport Page Table 3-105.Test for Windows Startup Registry Entries Lay Out the Network Page Figure 3-11.Adding Switches and VLANs to the Core Resources Access Control Method Guest Access VLAN Assignment and Other Dynamic Settings. You can set up the Endpoint Integrity Table 3-106.Public Wired Zone Policies Choose Switches Table 3-107.Network Access Control Capabilities of ProCurve Edge Switches Table 3-108.Public Wireless Zone Policies Encryption Choose APs Table 3-109.Capabilities of ProCurve Wireless Products Table 3-110.Authentication and Encryption Supported by ProCurve Wireless Products Table 3-111.PoE Requirements on ProCurve RPs and APs Table 3-112.ProCurve Products That Support PoE Page Table 3-113.Private Wired Zone Policies VLAN Assignment and Other Dynamic Settings. A successfully authen Table 3-114.Network Access Control Capabilities of ProCurve Edge Switches Table 3-115.Private Wireless Zone Policies Page Page Table 3-116.VPN Capabilities of the ProCurve Secure Router 7000dl Series Table 3-117.VPN Capabilities of the ProCurve VPN Client Page Integrating all Parts of the Network Design Page Page Other Resources Implementation Table 4-1.Elements of Each Access Control Solution Page Appendix A: Glossary See also DHCP deployment method and inline deployment method 802.1X quarantine NAC policy integrity posture inline quarantine method access grace period access method access mode enforcement cluster ADSL adware AEA IDM symmetric key IPsec ESP asymmetric TACACS+ endpoint integrity AVP back door biometrics Bluetooth BSD public key private key certificate See CA. authority Challenge See CHAP Handshake symmetric IPSec digital certificate See certificate DNS domain EAPOL EAP-GTC EAP-TLS certificate authentication EAP-TTLS enforcement See ES. server NAC policies Ethernet ports inline deployment method DCHP deployment method hash HMAC MAC IAS IGMP access control state access grace period JavaScript ISMI L2TP lightweight See LDAP. directory access protocol load balancing managed endpoint management See MS. server MS-CHAP NAC NAC policy group NAS NAT NAT-T NAT network access network access See NAC. controller network access See NAS. server PCM PDA PDP PEAP PKI policy repository post-connect posture See integrity posture PPTP pre-connect quarantine quarantine all deployment method quarantine subnet radio port See RP RC4 SSL remote mirroring remote procedure See RPC. call rootkit SHA-1 shared secret smart card smart phone asymmetric keys Telnet testing methods NAC agent test method ActiveX test method agentless test method Trojan virus worm TTLS unmanaged VoIP VSA Wireless Edge Services Module WMI WPA WPA-PSK Xauth Xsupplicant 802.1X supplicant RADUIS zero-day Page Numerics Page Page Page Page Page Page Page Addendum to the ProCurve Access Control Security Design Guide Page Page ProCurve Access Control Solution Adaptive access control with endpoint Adaptive EDGE capabilities Endpoint integrity checking Adaptive access Access Control with Endpoint Page Page Page Figure A-2.DHCP Plug-in Deployment—SingleNAC 800 and Multiple DHCP Servers ■Better synchronization with Microsoft Active Directory (AD) Integration with NPS and NAP Secure Access Wizard Microsoft NAP Figure A-3.NAP Architecture ■NAP client ■NAP enforcement point ■NAP health policy server (NPS) ■Health requirement servers ■Restricted network ■Remediation servers ■Active Directory domain service IPsec NAP EAPHost NAP VPN NAP DHCP NAP Figure A-4. Client-SideNAP Architecture HRA Table A-2.NAP ECs and Corresponding NAP Enforcement Points Page Figure A-5. IPsec-Protectedand Unprotected Communications Secure Boundary Figure A-6.HRA Network Access Figure A-7.DHCP Network Access Figure A-8.VPN Network Access Figure A-9.IEEE 802.1X Network Access Figure A-10.Relationship of NAP Clients to Remediation Servers Figure A-11.Relationship between NPS and Health Requirement Servers Updating the Access Control Design Process Microsoft Network Access Protection Table A-3.Options for Endpoint Integrity Solution by Existing Network Environment Examples Page Page Table A-6.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-7.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-8.Preliminary Decisions for the Endpoint Integrity Deployment Method