Designing Access Controls
Choose the Endpoint Integrity Deployment Method
Table 3-36. Security Level of Deployment Methods
Inline | 802.1X | DHCP |
|
|
|
Security provided | High |
Security mechanism | The NAC 800 is physically |
| placed between the endpoint |
| and network resources. |
High
Compliant endpoints are dynamically assigned a VLAN;
Medium
The DHCP server gives a valid IP address only to compliant endpoints; the NAC 800 assigns
Vulnerability | None | None | Sophisticated users can |
|
|
| assign their devices a valid IP |
|
|
| address and avoid making |
|
|
| DHCP requests. |
|
|
|
|
Example
Based solely on security concerns, the PCU network administrators would choose the 802.1X deployment method for each access control zone and an inline deployment for remote access. However, the administrators know that they cannot use 802.1X as the deployment method with
Table 3-37. Deployment Method by Security
Factor | Private Wired | Public Wired | Private Wireless | Public Wireless | Remote |
Security | 802.1X | 802.1X | 802.1X | 802.1X | Inline |
802.1X | Inline | 802.1X | Inline | Inline | |
access control method |
|
|
|
|
|
is considered |
|
|
|
|
|
|
|
|
|
|
|
Existing Network Infrastructure
After the access control method, your existing network infrastructure is perhaps the most critical factor for selecting a deployment method.
If you are considering the 802.1X deployment method, your switches must of course support 802.1X. You should also determine whether the switches support traffic mirroring (which may be called port mirroring, port monitor- ing, or port spanning, depending on your
