Designing Access Controls

Choose the Endpoint Integrity Deployment Method

The DHCP deployment is less secure because sophisticated users can circum- vent the endpoint integrity checking. If users configure their endpoint with a valid static IP address (rather than relying on the DHCP server to provide an address), their endpoint will not be quarantined even if it fails endpoint integrity tests.

If your switch supports DHCP snooping and Address Resolution Protocol (ARP) protection, however, you can block traffic from users who configure their endpoint with a static IP address. For example, the ProCurve Switches 3500yl, 5400zl, and 6200yl support both features. If you enable DHCP snoop- ing, these switches protect your network against DHCP attacks by creating a DHCP snooping table, which tracks:

MAC address

IP address

Lease time

Binding type

VLAN number

Interface information that corresponds to each DHCP lease through an untrusted port

The switches can then use this table to protect your network against attacks such as ARP poisoning and ARP snooping. When you enable ARP protection, the switches verify the IP-to-MAC address binding on traffic received on untrusted ports. The switches check a packet’s IP and MAC address informa- tion against the information stored in their DHCP snooping table. If a user has assigned his or her endpoint a static IP address, the switch will not be able to verify the IP-to-MAC address binding in the table and will drop the user’s traffic.

Table 3-36 compares the security levels of the deployment methods.

3-54

Page 170
Image 170
HP Access Control Client Software manual Designing Access Controls