HP Access Control Client Software 147

Designing Access Controls

Choose the Access Control Methods

Network Infrastructure Devices as 802.1X Supplicants

If you implement 802.1X on the ports at your edge switches, you will want to authenticate network infrastructure devices (such as APs or even switches) as well as endpoints. This prevents anyone from attaching rogue APs and other unauthorized devices that could compromise your network security. APs can be a particular concern because you do not want anyone to attach a rogue AP to the network and begin collecting usernames and passwords from users.

In the 802.1X authentication process, an AP (or switch) typically functions as a network access server (NAS), initiating the authentication process and forcing a supplicant to authenticate before sending traffic onto the network. To authenticate to the network, however, the AP must assume another role: it must function as the 802.1X supplicant. Before transmitting traffic—includ- ing stations’ traffic—onto the network, the AP must submit a valid username and password to its NAS, which is the switch to which the AP attaches.

Like endpoints, APs must have the necessary software to function as an 802.1X supplicant. You must check your AP to determine if it has a supplicant. The ProCurve AP 420 and the ProCurve Radio Ports (RPs) include an 802.1X supplicant. (Because ProCurve Networking periodically updates its wireless products, you should always check the ProCurve Web site at http://www.pro- curve.com for a current list of each product’s capabilities.)

You should evaluate what other network infrastructure devices should authenticate to the network. It may be less critical for switches to act as supplicants if the two connecting switches (or the wall jacks that they supply) are placed in the same secure, locked room. That way, the secure room protects the connecting ports on both switches and the cable itself.

If two connecting switches are in different buildings and connect via RJ-45 jacks that are not protected in a secure room, you should protect the ports by implementing 802.1X on those ports and configuring the 802.1X supplicant on the switches.

Table 3-18shows at-a-glance which ProCurve switches include an 802.1X supplicant.

3-31

Contents

ProCurve Solutions Page Page Page 1 Access Control Concepts 2 Customer Needs Assessment Determine Risk Tolerance Evaluate the Existing Network Environment 3 Designing Access Controls Page Page 4 Other Resources AAppendix A: Glossary Index Addendum to the ProCurve Access Control Security Design Guide Page Page Access Control Concepts Page Introduction to Access Control Data Applications Blocks access from unauthorized users at each network entry Eliminates frustrations created by piecemeal Page Network Access Control Technologies Authentication, authorization, and accounting Endpoint integrity Authorization Authentication Factors Something the user knows has Authentication Protocols N o t e Page Page Access request generator Access decision enforcer Translator Examples of RADIUS Servers Microsoft IAS (Windows Server Juniper Steel-Belted Radius Local Policy Repository Remote Policy Repository Figure 1-1.Network Access Control Architecture MAC authentication (MAC-Auth) Web authentication (Web-Auth) Process Figure 1-2.The MAC-AuthProcess Local MAC-Auth Page Figure 1-3.The Web-AuthProcess Page Figure 1-4.The 802.1X Process ■MAC-Auth—None Page Page EAP-Message Digest 5 (MD5) Lightweight EAP (LEAP) EAP-Tunneled TLS (TTLS) Protected EAP (PEAP) EAP-Generic Token Card (GTC) RADIUS Messages Access request challenge Access reject Page Page Page Page Page Management Default Unauthorized User Server Test Infected Page ■Security Settings ■Software ■Operating System ■Browser Security Policy Pre-connect Post-connect Permanent Agents Minimal impact on users Control Deployment Memory consumed on Transient Agents Ease of deployment Minimal impact on users and Unsupported Requirements on the application Combined Solutions Transient-agent Agentless Unknown Healthy Check-up DHCP Inline WAN A wireless network ProCurve NAC Process for 802.1X Quarantining (Endpoint Integrity Only). The Page Process for DHCP Quarantining Page Page Page Process for Inline Quarantining Page Process for 802.1X Quarantining Figure 1-5.The User Authenticates and Is Placed in the Test VLAN Figure 1-6.The NAC 800 Tests the User and Forces the User to Re-authenticate Figure 1-7.The User Re-authenticatesand Is Placed in the Appropriate VLAN ProCurve IDM Page Page Customer Needs Assessment Page Page Page Types of Users Page Page Table 2-1.Network Users Types of Connections Table 2-2.Network Users Page Figure 2-1.Wireless and Wired Zones Private wired zone Private wireless Public wireless Private remote Figure 2-2.Access Control Zones Page Determine Risk Tolerance Sarbanes-Oxley Health Insurance Portability and Accounting Act Gramm-Leach-Bliley Act (GLBA) ■Federal Information Security Management Act of (FISMA) Payment Card Industry Data Security Standard (PCI Lagging organizations Normative Vulnerability to Attacks Page Adware Spyware Rootkits Trojan Horses Viruses Worms ProCurve’s Virus Throttle™ Intrusion detection system (IDS)/intrusion prevention system ProCurve Network Immunity Evaluate the Existing Network Environment Table 2-3.Recording Information about Network Switches Figure 2-3.The AP as a Supplicant Table 2-4.Recording Information about APs Page Table 2-5.Recording Information about Workstations and Laptops Table 2-6.Recording Information about Other Endpoints Page Figure 2-4.Sample Network Diagram Determine Your Endpoint Integrity Requirements ■Browser Security Policy—Windows ■Security Settings—Windows ■Operating System—Windows Intranet Trusted Restricted Internet High Table 2-7.Default Settings for Internet Explorer Zones Page Networks to which the endpoint Security settings for macros Local security settings The Human Factor Page Page Page Designing Access Controls Page Page Page Comprehensive Security Policy Page Goals Audience Roles and responsibilities Business Page Figure 3-1.Diagram of the PCU Campus Dormitories Classrooms Plaza Remote access Figure 3-2.PCU Campus Zones Figure 3-3.Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control Methods Page Table 3-2.Security Concerns by Zone Page Page Table 3-3.Wireless Security Public Wireless Zones Private Wireless Zones Credentials Page Table 3-5.Level of Technical Knowledge Access Control Method by User Sophistication Level Access Control Method by User Type and Sophistication Access Control Method by Administrative Workload Table 3-9.Endpoint Compatibility of Access Control Methods Table 3-10.Configuration of PCU’s Endpoints Table 3-11.Access Control Method by Endpoint Capabilities Table 3-12.Administrative Control Levels Table 3-13.Access Control Method by Administrative Control Level Table 3-14.Authentication Method by Administrative Control Table 3-15.Network Access Control Capabilities of ProCurve Edge Switches Table 3-17.Access Control Method by Existing Infrastructure Page Table 3-18.Network Access Control Capabilities of ProCurve Edge Switches Table 3-19.Access Control Methods by Feasibility Table 3-20.Preliminary Decisions for the Access Control Method Table 3-21.Preliminary Decisions for the Access Control Method Table 3-22.Access Control Methods for Each Zone Make Decisions about Remote Access (VPN) Table 3-23.Disadvantages of Remote Access Table 3-24.Advantages of Remote Access Table 3-25.Options for VPN Protocols Page Table 3-26.Selecting VPN Options Based on Security Needs Page Table 3-27.Selecting VPN Options Based on User Type and Sophistication Page Table 3-28.Selecting VPN Options Based on Administrative Workload and IT Budget Table 3-29.Endpoint Compatibility for Remote Access Table 3-30.Selecting VPN Options Based on Endpoint Table 3-31.Selecting VPN Options Based on Existing Network Infrastructure Table 3-32.Preliminary Decisions for VPN Options Table 3-33.PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Page Table 3-34.Options for Endpoint Integrity Deployment Method by Access Control Method Table 3-35.Deployment Method by Access Control Method Page Table 3-36.Security Level of Deployment Methods Table 3-37.Deployment Method by Security Table 3-38.Deployment Method by Existing Network Infrastructure Table 3-39.Deployment Method by Connection Type Table 3-40.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-41.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-42.Deployment Method by Zone Choose Endpoint Integrity Testing Methods Table 3-43.Summary of Testing Methods Automatically before Automatically at initial Figure 3-4.InstallShield Wizard for the NAC EI Agent Manually Page Configured in cluster Submitted by the end-user C a u t i o n Page Page Page >Testing methods Page Page Table 3-44.Testing Method by Control over Endpoints Example Table 3-45.Testing Method by Administrative Control Table 3-46.Testing Methods by Post-ConnectTesting Table 3-47.Testing Method by Post-ConnectTesting Table 3-48.Testing Method by User Sophistication Table 3-49.Testing Methods for User Sophistication Table 3-50.Testing Methods by Administrative Workload Table 3-51.Testing Methods for Administrative Workload Table 3-52.Testing Method by Network Overhead Table 3-53.Preliminary Decisions for Testing Methods Table 3-54.Preliminary Decisions for Testing Method Choose RADIUS Servers Figure 3-8.Network Authentication Architecture Authenticate Authorize Create accounting records Table 3-55.General Combination Integrated Table 3-56.Integrated Server Combination server/proxy Table 3-57.Integrated Server/Proxy Combination Integrated server/proxy to turnkey Table 3-59.Integrated Server/Proxy to Turnkey Server Combination Fully integrated Table 3-60.Fully Integrated Combination Table 3-63.Number of Users for Access Control Component Combinations Table 3-64.Scalability of Access Control Component Combinations Table 3-65.Access Control Component Combinations Single-site autonomous fully distributed centralized Table 3-66.Access Control Architecture Options for Component Combinations Table 3-67.RADIUS Server Locations (Centralizing Policies) Table 3-68.RADIUS Server Locations (Eliminating Inter-SiteTraffic) Table 3-69.RADIUS Server Locations (Reducing Inter-SiteTraffic) Table 3-70.RADIUS Server Locations for PCU Providing Redundancy Improving Performance Page Page Page Page Page Table 3-71.General Combination for the NAC Table 3-72.Integrated Server/Proxy for the NAC Table 3-73.Turnkey Server Combination for the NAC Table 3-74.Integrated Server/Proxy to Turnkey Combination for the NAC Page Add ProCurve IDM Page Page Select an EAP Method for Figure 3-10.EAP Method Decision Flowchart Page Table 3-75.EAP Methods Supported by 802.1X Supplicants Table 3-76.EAP Methods Supported by RADIUS Servers Page Finalize Security Policies Table 3-77.Final Security Policy by Zone Table 3-78.Example Security Policy by Zone Page Table 3-79.Access Profiles assignment Table 3-80.Dynamic VLANs Table 3-81.Dynamic VLANs for PCU Allowed resources Table 3-82.Resources by Entire VLAN Table 3-83.Resources Table 3-84.PCU Resources by VLAN Table 3-85.PCU Resources Table 3-86.Resources Allowed in Access Profiles Table 3-87.Resources Allowed in PCU Access Profiles Rate limits and QoS Table 3-88.Resources Allowed in Access Profiles Access Policy Group Rules Normal access rights Limited access Table 3-89.Access Policy Group Rules Table 3-90.Sample Access Policy Group Rules for PCU Page Table 3-91.RADIUS Attributes in Access Requests Table 3-92.Authentication Protocols for My Policies Table 3-93.Dynamic Settings for My Policies Domains Hardware Workgroups Tests for Minimal Endpoint Integrity. All endpoints should be free of Table 3-94.Tests for Minimal Endpoint Integrity Table 3-95.Tests for Minimal Endpoint Integrity Table 3-96.Tests for Medium Endpoint Integrity Page Table 3-98.Macro Security Tests Table 3-99.Other Tests for Hotfixes Table 3-100.Windows Automatic Updates Table 3-101.Tests for Applications Table 3-102.Tests for Services Table 3-103.Tests for Shared Connections Table 3-104.Tests on Mac Airport Page Table 3-105.Test for Windows Startup Registry Entries Lay Out the Network Page Figure 3-11.Adding Switches and VLANs to the Core Resources Access Control Method Guest Access VLAN Assignment and Other Dynamic Settings. You can set up the Endpoint Integrity Table 3-106.Public Wired Zone Policies Choose Switches Table 3-107.Network Access Control Capabilities of ProCurve Edge Switches Table 3-108.Public Wireless Zone Policies Encryption Choose APs Table 3-109.Capabilities of ProCurve Wireless Products Table 3-110.Authentication and Encryption Supported by ProCurve Wireless Products Table 3-111.PoE Requirements on ProCurve RPs and APs Table 3-112.ProCurve Products That Support PoE Page Table 3-113.Private Wired Zone Policies VLAN Assignment and Other Dynamic Settings. A successfully authen Table 3-114.Network Access Control Capabilities of ProCurve Edge Switches Table 3-115.Private Wireless Zone Policies Page Page Table 3-116.VPN Capabilities of the ProCurve Secure Router 7000dl Series Table 3-117.VPN Capabilities of the ProCurve VPN Client Page Integrating all Parts of the Network Design Page Page Other Resources Implementation Table 4-1.Elements of Each Access Control Solution Page Appendix A: Glossary See also DHCP deployment method and inline deployment method 802.1X quarantine NAC policy integrity posture inline quarantine method access grace period access method access mode enforcement cluster ADSL adware AEA IDM symmetric key IPsec ESP asymmetric TACACS+ endpoint integrity AVP back door biometrics Bluetooth BSD public key private key certificate See CA. authority Challenge See CHAP Handshake symmetric IPSec digital certificate See certificate DNS domain EAPOL EAP-GTC EAP-TLS certificate authentication EAP-TTLS enforcement See ES. server NAC policies Ethernet ports inline deployment method DCHP deployment method hash HMAC MAC IAS IGMP access control state access grace period JavaScript ISMI L2TP lightweight See LDAP. directory access protocol load balancing managed endpoint management See MS. server MS-CHAP NAC NAC policy group NAS NAT NAT-T NAT network access network access See NAC. controller network access See NAS. server PCM PDA PDP PEAP PKI policy repository post-connect posture See integrity posture PPTP pre-connect quarantine quarantine all deployment method quarantine subnet radio port See RP RC4 SSL remote mirroring remote procedure See RPC. call rootkit SHA-1 shared secret smart card smart phone asymmetric keys Telnet testing methods NAC agent test method ActiveX test method agentless test method Trojan virus worm TTLS unmanaged VoIP VSA Wireless Edge Services Module WMI WPA WPA-PSK Xauth Xsupplicant 802.1X supplicant RADUIS zero-day Page Numerics Page Page Page Page Page Page Page Addendum to the ProCurve Access Control Security Design Guide Page Page ProCurve Access Control Solution Adaptive access control with endpoint Adaptive EDGE capabilities Endpoint integrity checking Adaptive access Access Control with Endpoint Page Page Page Figure A-2.DHCP Plug-in Deployment—SingleNAC 800 and Multiple DHCP Servers ■Better synchronization with Microsoft Active Directory (AD) Integration with NPS and NAP Secure Access Wizard Microsoft NAP Figure A-3.NAP Architecture ■NAP client ■NAP enforcement point ■NAP health policy server (NPS) ■Health requirement servers ■Restricted network ■Remediation servers ■Active Directory domain service IPsec NAP EAPHost NAP VPN NAP DHCP NAP Figure A-4. Client-SideNAP Architecture HRA Table A-2.NAP ECs and Corresponding NAP Enforcement Points Page Figure A-5. IPsec-Protectedand Unprotected Communications Secure Boundary Figure A-6.HRA Network Access Figure A-7.DHCP Network Access Figure A-8.VPN Network Access Figure A-9.IEEE 802.1X Network Access Figure A-10.Relationship of NAP Clients to Remediation Servers Figure A-11.Relationship between NPS and Health Requirement Servers Updating the Access Control Design Process Microsoft Network Access Protection Table A-3.Options for Endpoint Integrity Solution by Existing Network Environment Examples Page Page Table A-6.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-7.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-8.Preliminary Decisions for the Endpoint Integrity Deployment Method