Manuals
/
HP
/
Computer Equipment
/
Software
HP
Access Control Client Software
manual
Models:
Access Control Client Software
1
2
338
338
Download
338 pages
18.69 Kb
1
2
3
4
5
6
7
8
Network Diagram
Zone Default Setting
Administrative Workload
Wireless Authentication
Designing Access Controls
Remote procedure See RPC. call
Security Settings
Weight
Testing Methods
Authorization
Page 2
Image 2
Page 1
Page 3
Page 2
Image 2
Page 1
Page 3
Contents
ProCurve Solutions
Page
ProCurve Access Control Security
Applicable ProCurve Products
Contents
Customer Needs Assessment
Evaluate the Existing Network Environment
Designing Access Controls
Endpoint Capabilities and Administrative Control
Page
Appendix a Glossary Index
Page
Page
Page
Access Control Concepts
Contents
Access Control Concepts
Introduction to Access Control
Network Access Control
Access Control Concepts
Network Access Control Technologies
AAA
Authentication
Authorization
T e
Accounting
NAS ID
Policy Enforcement Point PEP
Network Access Control Architecture
Endpoint
Policy Decision Point PDP
Access Control Concepts
Policy Repository
Network Access Control Process
Network Access Control Architecture
Authentication-Based Network Access Control Methods
MAC-Auth
Introduce security vulnerablities
MAC-Auth Process
Web-Auth
Web-Auth Process
802.1X
802.1X Process
MAC-Auth-None
Authentication Protocols
Authentication Requirements
PAP
MS-CHAPv2
EAP
Access Control Concepts
Access Control Concepts
Radius
NAS ID
T e
Wireless Authentication
802.11
Static Wired Equivalent Privacy WEP
Dynamic WEP
WPA/WPA2
Access Control Rights-Dynamic Settings
VLANs
Devices
ACLs
Endpoint Integrity
Endpoint Integrity Policies
Software
Pre-connect and Post-connect Testing
Security Settings
Operating System
Testing Methods
Access Control Concepts
Endpoint Requirements for Integrity Checking
WMI
Endpoint Integrity Posture
Quarantine Methods
User’s assignment and places him or her in a quarantine Vlan
T e
NAC 800 as an Endpoint Integrity Only Solution
ProCurve NAC
802.1X Deployment
Process for 802.1X Quarantining Endpoint Integrity Only.
With each other
Dhcp Deployment
T e
IP address = 192.168.8.1/24 IP address = 192.168.9.1/24
Inline Deployment Method
NAC 800 as a RADIUS-Only Solution
Solution
NAC 800 as Both a Radius Server and an Endpoint Integrity
Access Control Concepts
User Authenticates and Is Placed in the Test Vlan
Access Control Concepts
User Re-authenticates and Is Placed in the Appropriate Vlan
ProCurve IDM
Wlan
IAS, and the IDM agent on the same Windows Server
Radius Process with IDM
Customer Needs Assessment
Customer Needs Assessment
Overview
Customer Needs Assessment
Types of Users
Employees
Temporary Employees
Guests
Network Skills
Recording Information about Users
Network Users
Types of Connections
Wired Connections
Wireless Connections
Recording the Types of Connections Available to Users
Group Permitted Connections Access Times Network Resources
Remote Connections
Access Control Zones
Wireless and Wired Zones
Access Control Zones
Customer Needs Assessment
Determine Risk Tolerance
Regulations
Federal Information Security Management Act
Regulatory Compliance
Quantify Your Company’s Risk Tolerance
External Attacks
Vulnerability to Attacks
Attack Vectors
Internal Attacks
Types of Attacks
Malware
Viruses and Worms
Customer Needs Assessment
Customer Needs Assessment
Edge Devices
Evaluate the Existing Network Environment
Size
Port Mirroring
Recording Information about Network Switches
Switch Vendor Firmware Location
Model Number Version Supported Monitoring Spanning
AP as a Supplicant
Recording Information about APs
Endpoints
Workstations and Laptops
Customer Needs Assessment
Laptop or Quantity User Operating Applications
Other Endpoints
Recording Information about Workstations and Laptops
Workstation System Network
Recording Information about Other Endpoints
Directory Service
Radius Servers
Dchp Servers
Subnets and VLANs
Routing Information
Network Diagram
Sample Network Diagram
Determine Your Endpoint Integrity Requirements
Browser Security Policy-Windows
Customer Needs Assessment
Zone Default Setting
Select Security Settings for Your Company
Default Settings for Internet Explorer Zones
Operating System-Windows
Security Settings-OS
Security Settings-Windows
Software-Windows
Human Factor
Control over Network Resources
IT Department Workload
Users’ Cooperation
Customer Needs Assessment
Customer Needs Assessment
Designing Access Controls
Endpoint Capabilities and Administrative Control
Designing Access Controls
Select an EAP Method for 802.1X
106
Comprehensive Security Policy
Components
Designing Access Controls
Process of Designing Access Control Security
Example Network
Diagram of the PCU Campus
Designing Access Controls
PCU Campus Zones
Network Infrastructure Divided into Access Zones
Choose the Access Control Methods
Advantages and Disadvantages of Access Control Methods
High effort to
Endpoints that access
High
Security Zone Private Public
Network Access Zones Security
Security Concerns by Zone
Wired Zone Security Concerns
Wireless Zone Security Concerns
WEP
Wireless Security
WPA/WPA2 Tkip CCMP-AES
Web-Auth None by default
Do your endpoints have 802.1X supplicants?
Vulnerability and Risk Tolerance
User Type and Sophistication
Selecting an Access Control Method Based on Security Needed
Technical Knowledge Characteristics
Example
Access Control Method by User Sophistication Level
MAC-Auth Web-Auth 802.1X
Administrative Workload
Access Control Method by User Type and Sophistication
Access Control Method by Administrative Workload
Endpoint Compatibility of Access Control Methods
10. Configuration of PCU’s Endpoints
Hardware Type of Interface Operating System
Administrative Control over Endpoints
11. Access Control Method by Endpoint Capabilities
Description
12. Administrative Control Levels
13. Access Control Method by Administrative Control Level
Network Infrastructure Devices
14. Authentication Method by Administrative Control
Switch Series MAC-Auth Web-Auth 802.1X
ProCurve Product Software Version MAC-Auth Web-Auth 802.1X
New capabilities for these wireless products
17. Access Control Method by Existing Infrastructure
Network Infrastructure Devices as 802.1X Supplicants
ProCurve Switches 802.1X Supplicant
Bringing All of the Factors Together
19. Access Control Methods by Feasibility
Them
20. Preliminary Decisions for the Access Control Method
Factor Weight Private Wired Public Wired
21. Preliminary Decisions for the Access Control Method
Zone Access Control Method
Make Decisions about Remote Access VPN
22. Access Control Methods for Each Zone
Disadvantages Mitigating Factors
Decide Whether to Grant Remote Access
23. Disadvantages of Remote Access
Advantages Explanation
24. Advantages of Remote Access
Select VPN Options
25. Options for VPN Protocols
Vulnerability and Risk Assessment
DSA
26. Selecting VPN Options Based on Security Needs
They have?
Router or firewall
Administrative Workload and IT Budget
Designing Access Controls
29. Endpoint Compatibility for Remote Access
Native Capabilities With VPN Client
Existing Network Infrastructure
30. Selecting VPN Options Based on Endpoint
Bringing All Factors Together
32. Preliminary Decisions for VPN Options
33. PCU’s Preliminary Decisions for VPN Options
Access Control Method
Choose the Endpoint Integrity Deployment Method
MAC-Auth
35. Deployment Method by Access Control Method
Vulnerability to Risks and Risk Tolerance
Designing Access Controls
36. Security Level of Deployment Methods
Factor Private Wired Public Wired
Public Wireless Remote
37. Deployment Method by Security
38. Deployment Method by Existing Network Infrastructure
Wireless
Connection Type
39. Deployment Method by Connection Type
Wireless Connection type Inline
Bringing the Factors Together
Zone Deployment Method
Factor Weight Private Wired Public Wired Remote Wireless
42. Deployment Method by Zone
Testing Method Advantages Disadvantages
Choose Endpoint Integrity Testing Methods
43. Summary of Testing Methods
Requirements for Testing Methods
NAC EI Agent
InstallShield Wizard for the NAC EI Agent
ActiveX
Advantages and Disadvantages of NAC Agent Testing
Requirements for ActiveX Testing
Advantages and Disadvantages of ActiveX Testing
Agentless
Advantages and Disadvantages of Agentless Testing
Deciding Which Testing Methods to Enable
Requirements for Agentless Testing
Transparent Testing
Designing Access Controls
Testing with User Interaction
Testing methods
Designing Access Controls
Factors to Consider for Testing Methods
Administrative Control over Endpoints
Factor Public Wired Private Wired
44. Testing Method by Control over Endpoints
45. Testing Method by Administrative Control
Private Wireless Remote
Post-Connect Testing
46. Testing Methods by Post-Connect Testing
47. Testing Method by Post-Connect Testing
User Sophistication
Private Remote Wireless
48. Testing Method by User Sophistication
49. Testing Methods for User Sophistication
Agentless ActiveX NAC IE Agent
Administrative Workload
50. Testing Methods by Administrative Workload
51. Testing Methods for Administrative Workload
Network Overhead
Factor Public Wired
52. Testing Method by Network Overhead
53. Preliminary Decisions for Testing Methods
Bringing All of the Factors Together
54. Preliminary Decisions for Testing Method
Network Authentication Architecture
Choose Radius Servers
Radius Servers in a Network Without Endpoint Integrity
Choose Which Devices Will Play the Role of PDP
57. Integrated Server/Proxy Combination
55. General Combination
56. Integrated Server Combination
58. Turnkey Server
PEPs with Built-in PDPs
60. Fully Integrated Combination
61. Alternate Integrated Server/Proxy Combination
PEPs with Built-in PDPs and Policy/Credential Repositories
Users Combination Wired Per LAN Wireless Per LAN Total WAN
Most Scalable
64. Scalability of Access Control Component Combinations
65. Access Control Component Combinations
Least Scalable
Choose an Access Control Architecture
Designing Access Controls
67. Radius Server Locations Centralizing Policies
68. Radius Server Locations Eliminating Inter-Site Traffic
69. Radius Server Locations Reducing Inter-Site Traffic
Determine the Number of Radius Servers
70. Radius Server Locations for PCU
Choose Your Radius Servers and Finalize the Plan
Radius Server Decision Tree
Designing Access Controls
IAS as the Radius Server
Does your organization already use IAS for other functions?
NAC 800 as the Radius Server
73. Turnkey Server Combination for the NAC
71. General Combination for the NAC
72. Integrated Server/Proxy for the NAC
Wireless Edge Services Module Database
Designing Access Controls
Determine If You Need IDM
Add ProCurve IDM
IDM Overview
Design Parameters for a Network with IDM
Create Access Policy Groups
Add Users
10. EAP Method Decision Flowchart
Select an EAP Method for
Designing Access Controls
75. EAP Methods Supported by 802.1X Supplicants
Supplicant
Server
76. EAP Methods Supported by Radius Servers
EAP-TNC EAP-LEAP Not
Designing Access Controls
77. Final Security Policy by Zone
Finalize Security Policies
User Groups and Policies
78. Example Security Policy by Zone
Access Group Policies with IDM
Access Profiles
79. Access Profiles
Access Profile
80. Dynamic VLANs
81. Dynamic VLANs for PCU
Resource Vlan ID Subnet Address
82. Resources by Entire Vlan
83. Resources
Resource IP Address Protocol
84. PCU Resources by Vlan
85. PCU Resources
86. Resources Allowed in Access Profiles
Access Profile Resources
87. Resources Allowed in PCU Access Profiles
Access Profile Resource
Faculty Web servers, white pages Library catalog and printer
88. Resources Allowed in Access Profiles
Resources Rate Limit QoS
Access Policy Inputs Group Location Time System
89. Access Policy Group Rules
90. Sample Access Policy Group Rules for PCU
Outputs-Access Profile
Access Policies without IDM
91. Radius Attributes in Access Requests
Attribute Explanation Value for My Policy
Attribute Policy 1-Setting Policy 2-Setting
92. Authentication Protocols for My Policies
93. Dynamic Settings for My Policies
Create the NAC Policies
Design NAC Policy Groups
Design NAC Policies
94. Tests for Minimal Endpoint Integrity
95. Tests for Minimal Endpoint Integrity
96. Tests for Medium Endpoint Integrity
Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall
97. Web Browser Tests Test Settings Mozilla Firefox
Browser? Enter the required versions in Table
Microsoft Excel Microsoft Outlook
98. Macro Security Tests
99. Other Tests for Hotfixes
Windows Media Mac QuickTime IIS
Options Your selection
100. Windows Automatic Updates
101. Tests for Applications
104. Tests on Mac Airport
102. Tests for Services
103. Tests for Shared Connections
Windows Bridge Network Connection Mac Internet Sharing
Specified as allowed
105. Test for Windows Startup Registry Entries
Lay Out the Network
Core Resources
T e
Access Zones for Endpoints
Public Wired Zone
Vlan Assignment and Other Dynamic Settings. You can set up
106. Public Wired Zone Policies
133
Public Wireless Zone
108. Public Wireless Zone Policies
Designing Access Controls
109. Capabilities of ProCurve Wireless Products
Product Software Version Radios Modes WLANs
Version Methods 802.1X
Software Authentication
EAP Method for
111. PoE Requirements on ProCurve RPs and APs
112. ProCurve Products That Support PoE
Lay Out the Network
Private Wired Zone
113. Private Wired Zone Policies
Might otherwise be ignored
MS-CHAPv2
Private Wireless Zone
115. Private Wireless Zone Policies
Remote Zone
Designing Access Controls
Tunnels
Module VPN Protocol Maximum Encryption
Number
3DES
Overlapping Zones
Combining Access Control Zone Designs
Adjacent Zones
117. VPN Capabilities of the ProCurve VPN Client
Designing Adjacent and Overlapping Zones
Adding Access Control to an Existing Network
Integrating all Parts of the Network Design
Migrating from One Solution to Another
150
Services and Support
ProCurve Elite Partners
Implementation
Other Resources
Elements of Each Access Control Solution
Elements Solution
Other Resources
Appendix a Glossary
Numeric
See also Dhcp deployment method and inline deployment method
Access point See AP
Appendix a Glossary
Agent See NAC EI agent
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Digital certificate See certificate
EI See endpoint integrity
Extensible See EAP Authentication Protocol GTC See EAP-GTC
Enforcement See ES. server
Inline quarantine method
Appendix a Glossary
Mirroring, remote See remote mirroring
Lightweight See LDAP. directory access Protocol
Management See MS. server
Appendix a Glossary
Appendix a Glossary
PoE
Peer-to-peer
Permanent agent
Public key See PKI. infrastructure
Posture See integrity posture
Pre-shared key See PSK
Radio port See RP
Remote procedure See RPC. call
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Html
Appendix a Glossary
Appendix a Glossary
Index
See DNS
EAP … 1-21, 1-25, 1-53 EAP GTC …
See Imsi
OS-X
See SOX security policies
TLS
See WEP
Contents
Contents
Overview
ProCurve Access Control Solution
Enhancements to the ProCurve Access Control Solution
SMB Signing
Deep Check Testing
ProCurve NAC
Support for Rdac
Post-Connect NAC Testing
Integration with Microsoft SMS
Dhcp Plug-in Deployment
Identity Driven Manager
Better synchronization with Microsoft Active Directory
ProCurve Access Control Solution
Microsoft NAP
NAP Components
NAP client
NAP enforcement point
Health requirement servers
Active Directory domain service
NAP health policy server NPS
Restricted network
System Health Agents SHAs
NAP Client Architecture
NAP Enforcement Clients ECs
NAP Agent
NAP Server Architecture
Figure A-4. Client-Side NAP Architecture
NAP Enforcement Point
NAP Enforcement Point
Table A-2. NAP ECs and Corresponding NAP Enforcement Points
IPsec
Network Access Methods
Health Requirement Servers
Figure A-5. IPsec-Protected and Unprotected Communications
Figure A-6. HRA Network Access
Dhcp
VPN Access
802.1X Authentication
Figure A-9. Ieee 802.1X Network Access
Remediation and Health Requirement Servers
Updating the Access Control Design Process
Choose the Endpoint Integrity Solution
Existing Network Environment
Vulnerability to Risks and Risk Tolerance
Existing Network Environment Option
Management Resources
Risk Tolerance
Interoperability Requirements
Interoperability Option Requirements
Factor Weight Selection
Bringing the Factors Together
Choose the Endpoint Integrity Deployment Method
Updating the Access Control Design Process
Updating the Access Control Design Process
Top
Page
Image
Contents