Designing Access Controls

Choose the Access Control Methods

Wired Zone Security Concerns

Wired zones can be physically protected to some extent; that is, you can control physical access to the wire by allowing only authorized people to enter the buildings that contain the LAN. If would-be hackers cannot physically access the wires, they cannot tap into the wire and use a protocol analyzer to eavesdrop on wired communications.

Of course, there is always the possibility that someone will break into your building, compromising your physical security. And unfortunately, you must also protect the network against people who are allowed into your build- ing—either temporarily or permanently. You must set up security to protect your network against careless or even malicious full-time employees, tempo- rary employees, or guests.

For example, a temporary employee could unplug a printer and plug an unauthorized endpoint into the printer’s jack. Depending on your security configuration, that user might be able to bypass regular security measures through the printer’s switch port.

Or, an enterprising employee may circumvent the process of requesting a wireless network through the IT department. Instead, the employee may purchase an access point (AP), plug it into an unused RJ-45 jack, and configure it for fellow employees to use. Although the AP is being used for work purposes and the employee did not have a malicious intent, this rogue AP could compromise network security. The employee may not select the stron- gest security—802.1X with Wi-Fi Protected Access (WPA)/WPA2—for wire- less networks. Not fully understanding wireless security, the employee might select static Wired Equivalent Privacy (WEP), which can be easily cracked.

To protect your network from both hackers and well-intentioned but ulti- mately harmful employees, you should protect each port by implementing 802.1X. Of course, you will have to weigh other factors such as whether or not all your endpoints support 802.1X. (These issues are described in more depth later in this chapter.)

If most of your endpoints support 802.1X, you can use it as the predominant access control method for a zone. You can then identify the endpoints that do not support 802.1X and use a different access control method—such as MAC- Auth—to authenticate them.

In private wired zones, the network should be configured—whether through a directory service, static access control lists (ACLs), or dynamic ACLs set in RADIUS policies—to limit each authorized user’s access to just the resources he or she needs. In public wired zones, the network configuration should

3-16

Page 131 Page 133
Page 132
Image 132
HP Access Control Client Software manual Wired Zone Security Concerns
Page 131 Page 133
Top Page Image Contents