Manuals
/
Brands
/
Computer Equipment
/
Software
/
HP
/
Computer Equipment
/
Software
HP
Access Control Client Software manual
14
1
14
338
338
Download
338 pages, 3.71 Mb
x
Contents
ProCurve Solutions
Page
Page
Page
1 Access Control Concepts
2 Customer Needs Assessment
Determine Risk Tolerance
Evaluate the Existing Network Environment
3 Designing Access Controls
Page
Page
4 Other Resources
AAppendix A: Glossary
Index
Addendum to the ProCurve Access Control Security Design Guide
Page
Page
Access Control Concepts
Page
Introduction to Access Control
Data
Applications
Blocks access from unauthorized users at each network entry
Eliminates frustrations created by piecemeal
Page
Network Access Control Technologies
Authentication, authorization, and accounting
Endpoint
integrity
Authorization
Authentication Factors
Something the user
knows
has
Authentication Protocols
N o t e
Page
Page
Access request
generator
Access decision
enforcer
Translator
Examples of RADIUS Servers
Microsoft IAS (Windows Server
Juniper
Steel-Belted
Radius
Local Policy Repository
Remote Policy Repository
Figure 1-1.Network Access Control Architecture
MAC authentication
(MAC-Auth)
Web authentication
(Web-Auth)
Process
Figure 1-2.The MAC-AuthProcess
Local
MAC-Auth
Page
Figure 1-3.The Web-AuthProcess
Page
Figure 1-4.The 802.1X Process
■MAC-Auth—None
Page
Page
EAP-Message
Digest 5 (MD5)
Lightweight EAP (LEAP)
EAP-Tunneled
TLS (TTLS)
Protected EAP (PEAP)
EAP-Generic
Token Card (GTC)
RADIUS Messages
Access
request
challenge
Access reject
Page
Page
Page
Page
Page
Management
Default
Unauthorized
User
Server
Test
Infected
Page
■Security Settings
■Software
■Operating System
■Browser Security Policy
Pre-connect
Post-connect
Permanent Agents
Minimal impact on
users
Control
Deployment
Memory consumed on
Transient Agents
Ease of
deployment
Minimal impact on users and
Unsupported
Requirements on the
application
Combined Solutions
Transient-agent
Agentless
Unknown
Healthy
Check-up
DHCP
Inline
WAN
A wireless
network
ProCurve NAC
Process for 802.1X Quarantining (Endpoint Integrity Only). The
Page
Process for DHCP Quarantining
Page
Page
Page
Process for Inline Quarantining
Page
Process for 802.1X Quarantining
Figure 1-5.The User Authenticates and Is Placed in the Test VLAN
Figure 1-6.The NAC 800 Tests the User and Forces the User to Re-authenticate
Figure 1-7.The User Re-authenticatesand Is Placed in the Appropriate VLAN
ProCurve IDM
Page
Page
Customer Needs Assessment
Page
Page
Page
Types of Users
Page
Page
Table 2-1.Network Users
Types of Connections
Table 2-2.Network Users
Page
Figure 2-1.Wireless and Wired Zones
Private wired
zone
Private wireless
Public wireless
Private remote
Figure 2-2.Access Control Zones
Page
Determine Risk Tolerance
Sarbanes-Oxley
Health Insurance Portability and Accounting Act
Gramm-Leach-Bliley
Act
(GLBA)
■Federal Information Security Management Act of
(FISMA)
Payment Card Industry Data Security Standard (PCI
Lagging
organizations
Normative
Vulnerability to Attacks
Page
Adware
Spyware
Rootkits
Trojan Horses
Viruses
Worms
ProCurve’s Virus Throttle™
Intrusion detection system (IDS)/intrusion prevention system
ProCurve Network Immunity
Evaluate the Existing Network
Environment
Table 2-3.Recording Information about Network Switches
Figure 2-3.The AP as a Supplicant
Table 2-4.Recording Information about APs
Page
Table 2-5.Recording Information about Workstations and Laptops
Table 2-6.Recording Information about Other Endpoints
Page
Figure 2-4.Sample Network Diagram
Determine Your Endpoint Integrity
Requirements
■Browser Security Policy—Windows
■Security Settings—Windows
■Operating System—Windows
Intranet
Trusted
Restricted
Internet
High
Table 2-7.Default Settings for Internet Explorer Zones
Page
Networks to which the endpoint
Security settings for
macros
Local security
settings
The Human Factor
Page
Page
Page
Designing Access Controls
Page
Page
Page
Comprehensive Security Policy
Page
Goals
Audience
Roles and
responsibilities
Business
Page
Figure 3-1.Diagram of the PCU Campus
Dormitories
Classrooms
Plaza
Remote
access
Figure 3-2.PCU Campus Zones
Figure 3-3.Network Infrastructure Divided into Access Zones
Choose the Access Control Methods
Advantages and Disadvantages of Access Control Methods
Page
Table 3-2.Security Concerns by Zone
Page
Page
Table 3-3.Wireless Security
Public Wireless Zones
Private Wireless Zones
Credentials
Page
Table 3-5.Level of Technical Knowledge
Access Control Method by User Sophistication Level
Access Control Method by User Type and Sophistication
Access Control Method by Administrative Workload
Table 3-9.Endpoint Compatibility of Access Control Methods
Table 3-10.Configuration of PCU’s Endpoints
Table 3-11.Access Control Method by Endpoint Capabilities
Table 3-12.Administrative Control Levels
Table 3-13.Access Control Method by Administrative Control Level
Table 3-14.Authentication Method by Administrative Control
Table 3-15.Network Access Control Capabilities of ProCurve Edge Switches
Table 3-17.Access Control Method by Existing Infrastructure
Page
Table 3-18.Network Access Control Capabilities of ProCurve Edge Switches
Table 3-19.Access Control Methods by Feasibility
Table 3-20.Preliminary Decisions for the Access Control Method
Table 3-21.Preliminary Decisions for the Access Control Method
Table 3-22.Access Control Methods for Each Zone
Make Decisions about Remote Access (VPN)
Table 3-23.Disadvantages of Remote Access
Table 3-24.Advantages of Remote Access
Table 3-25.Options for VPN Protocols
Page
Table 3-26.Selecting VPN Options Based on Security Needs
Page
Table 3-27.Selecting VPN Options Based on User Type and Sophistication
Page
Table 3-28.Selecting VPN Options Based on Administrative Workload and IT
Budget
Table 3-29.Endpoint Compatibility for Remote Access
Table 3-30.Selecting VPN Options Based on Endpoint
Table 3-31.Selecting VPN Options Based on Existing Network Infrastructure
Table 3-32.Preliminary Decisions for VPN Options
Table 3-33.PCU’s Preliminary Decisions for VPN Options
Choose the Endpoint Integrity
Deployment Method
Page
Table 3-34.Options for Endpoint Integrity Deployment Method by Access
Control Method
Table 3-35.Deployment Method by Access Control Method
Page
Table 3-36.Security Level of Deployment Methods
Table 3-37.Deployment Method by Security
Table 3-38.Deployment Method by Existing Network Infrastructure
Table 3-39.Deployment Method by Connection Type
Table 3-40.Preliminary Decisions for the Endpoint Integrity Deployment Method
Table 3-41.Preliminary Decisions for the Endpoint Integrity Deployment Method
Table 3-42.Deployment Method by Zone
Choose Endpoint Integrity Testing
Methods
Table 3-43.Summary of Testing Methods
Automatically before
Automatically at initial
Figure 3-4.InstallShield Wizard for the NAC EI Agent
Manually
Page
Configured in cluster
Submitted by the
end-user
C a u t i o n
Page
Page
Page
>Testing methods
Page
Page
Table 3-44.Testing Method by Control over Endpoints
Example
Table 3-45.Testing Method by Administrative Control
Table 3-46.Testing Methods by Post-ConnectTesting
Table 3-47.Testing Method by Post-ConnectTesting
Table 3-48.Testing Method by User Sophistication
Table 3-49.Testing Methods for User Sophistication
Table 3-50.Testing Methods by Administrative Workload
Table 3-51.Testing Methods for Administrative Workload
Table 3-52.Testing Method by Network Overhead
Table 3-53.Preliminary Decisions for Testing Methods
Table 3-54.Preliminary Decisions for Testing Method
Choose RADIUS Servers
Figure 3-8.Network Authentication Architecture
Authenticate
Authorize
Create accounting
records
Table 3-55.General Combination
Integrated
Table 3-56.Integrated Server Combination
server/proxy
Table 3-57.Integrated Server/Proxy Combination
Integrated server/proxy to turnkey
Table 3-59.Integrated Server/Proxy to Turnkey Server Combination
Fully
integrated
Table 3-60.Fully Integrated Combination
Table 3-63.Number of Users for Access Control Component Combinations
Table 3-64.Scalability of Access Control Component Combinations
Table 3-65.Access Control Component Combinations
Single-site
autonomous
fully
distributed
centralized
Table 3-66.Access Control Architecture Options for Component Combinations
Table 3-67.RADIUS Server Locations (Centralizing Policies)
Table 3-68.RADIUS Server Locations (Eliminating Inter-SiteTraffic)
Table 3-69.RADIUS Server Locations (Reducing Inter-SiteTraffic)
Table 3-70.RADIUS Server Locations for PCU
Providing Redundancy
Improving Performance
Page
Page
Page
Page
Page
Table 3-71.General Combination for the NAC
Table 3-72.Integrated Server/Proxy for the NAC
Table 3-73.Turnkey Server Combination for the NAC
Table 3-74.Integrated Server/Proxy to Turnkey Combination for the NAC
Page
Add ProCurve IDM
Page
Page
Select an EAP Method for
Figure 3-10.EAP Method Decision Flowchart
Page
Table 3-75.EAP Methods Supported by 802.1X Supplicants
Table 3-76.EAP Methods Supported by RADIUS Servers
Page
Finalize Security Policies
Table 3-77.Final Security Policy by Zone
Table 3-78.Example Security Policy by Zone
Page
Table 3-79.Access Profiles
assignment
Table 3-80.Dynamic VLANs
Table 3-81.Dynamic VLANs for PCU
Allowed
resources
Table 3-82.Resources by Entire VLAN
Table 3-83.Resources
Table 3-84.PCU Resources by VLAN
Table 3-85.PCU Resources
Table 3-86.Resources Allowed in Access Profiles
Table 3-87.Resources Allowed in PCU Access Profiles
Rate limits and QoS
Table 3-88.Resources Allowed in Access Profiles
Access Policy Group Rules
Normal access
rights
Limited access
Table 3-89.Access Policy Group Rules
Table 3-90.Sample Access Policy Group Rules for PCU
Page
Table 3-91.RADIUS Attributes in Access Requests
Table 3-92.Authentication Protocols for My Policies
Table 3-93.Dynamic Settings for My Policies
Domains
Hardware
Workgroups
Tests for Minimal Endpoint Integrity. All endpoints should be free of
Table 3-94.Tests for Minimal Endpoint Integrity
Table 3-95.Tests for Minimal Endpoint Integrity
Table 3-96.Tests for Medium Endpoint Integrity
Page
Table 3-98.Macro Security Tests
Table 3-99.Other Tests for Hotfixes
Table 3-100.Windows Automatic Updates
Table 3-101.Tests for Applications
Table 3-102.Tests for Services
Table 3-103.Tests for Shared Connections
Table 3-104.Tests on Mac Airport
Page
Table 3-105.Test for Windows Startup Registry Entries
Lay Out the Network
Page
Figure 3-11.Adding Switches and VLANs to the Core Resources
Access Control Method
Guest Access
VLAN Assignment and Other Dynamic Settings. You can set up the
Endpoint Integrity
Table 3-106.Public Wired Zone Policies
Choose Switches
Table 3-107.Network Access Control Capabilities of ProCurve Edge Switches
Table 3-108.Public Wireless Zone Policies
Encryption
Choose APs
Table 3-109.Capabilities of ProCurve Wireless Products
Table 3-110.Authentication and Encryption Supported by ProCurve Wireless
Products
Table 3-111.PoE Requirements on ProCurve RPs and APs
Table 3-112.ProCurve Products That Support PoE
Page
Table 3-113.Private Wired Zone Policies
VLAN Assignment and Other Dynamic Settings. A successfully authen
Table 3-114.Network Access Control Capabilities of ProCurve Edge Switches
Table 3-115.Private Wireless Zone Policies
Page
Page
Table 3-116.VPN Capabilities of the ProCurve Secure Router 7000dl Series
Table 3-117.VPN Capabilities of the ProCurve VPN Client
Page
Integrating all Parts of the Network
Design
Page
Page
Other Resources
Implementation
Table 4-1.Elements of Each Access Control Solution
Page
Appendix A: Glossary
See also DHCP deployment method and inline deployment method
802.1X quarantine
NAC policy
integrity posture
inline quarantine method
access grace
period
access method
access mode
enforcement cluster
ADSL
adware
AEA
IDM
symmetric key
IPsec
ESP
asymmetric
TACACS+
endpoint integrity
AVP
back door
biometrics
Bluetooth
BSD
public key
private key
certificate See CA. authority
Challenge See CHAP
Handshake
symmetric
IPSec
digital certificate See certificate
DNS
domain
EAPOL
EAP-GTC
EAP-TLS
certificate authentication
EAP-TTLS
enforcement See ES. server
NAC policies
Ethernet ports
inline deployment method
DCHP deployment method
hash
HMAC
MAC
IAS
IGMP
access control state
access grace period
JavaScript
ISMI
L2TP
lightweight See LDAP. directory access
protocol
load balancing
managed endpoint
management See MS. server
MS-CHAP
NAC
NAC policy group
NAS
NAT
NAT-T
NAT
network access
network access See NAC. controller
network access See NAS. server
PCM
PDA
PDP
PEAP
PKI
policy repository
post-connect
posture See integrity posture
PPTP
pre-connect
quarantine
quarantine all
deployment method
quarantine subnet
radio port See RP
RC4
SSL
remote mirroring
remote procedure See RPC. call
rootkit
SHA-1
shared secret
smart card
smart phone
asymmetric keys
Telnet
testing methods
NAC agent test method
ActiveX test method
agentless test method
Trojan
virus
worm
TTLS
unmanaged
VoIP
VSA
Wireless Edge
Services Module
WMI
WPA
WPA-PSK
Xauth
Xsupplicant
802.1X supplicant
RADUIS
zero-day
Page
Numerics
Page
Page
Page
Page
Page
Page
Page
Addendum to the ProCurve Access Control Security Design Guide
Page
Page
ProCurve Access Control Solution
Adaptive access control with endpoint
Adaptive EDGE
capabilities
Endpoint integrity
checking
Adaptive access
Access Control with Endpoint
Page
Page
Page
Figure A-2.DHCP Plug-in Deployment—SingleNAC 800 and Multiple DHCP Servers
■Better synchronization with Microsoft Active Directory
(AD)
Integration with NPS and
NAP
Secure Access
Wizard
Microsoft NAP
Figure A-3.NAP Architecture
■NAP client
■NAP enforcement point
■NAP health policy server (NPS)
■Health requirement servers
■Restricted network
■Remediation servers
■Active Directory domain service
IPsec NAP
EAPHost NAP
VPN NAP
DHCP NAP
Figure A-4. Client-SideNAP Architecture
HRA
Table A-2.NAP ECs and Corresponding NAP Enforcement Points
Page
Figure A-5. IPsec-Protectedand Unprotected Communications
Secure
Boundary
Figure A-6.HRA Network Access
Figure A-7.DHCP Network Access
Figure A-8.VPN Network Access
Figure A-9.IEEE 802.1X Network Access
Figure A-10.Relationship of NAP Clients to Remediation Servers
Figure A-11.Relationship between NPS and Health Requirement Servers
Updating the Access Control Design
Process
Microsoft Network Access Protection
Table A-3.Options for Endpoint Integrity Solution by Existing Network
Environment
Examples
Page
Page
Table A-6.Preliminary Decisions for the Endpoint Integrity Deployment Method
Table A-7.Preliminary Decisions for the Endpoint Integrity Deployment Method
Table A-8.Preliminary Decisions for the Endpoint Integrity Deployment Method