HP Access Control Client Software 246

Designing Access Controls

Lay Out the Network

Start your network core design with central network resources—your net- work’s servers, which might include:

■Directory servers (Active Directory, eDirectory, or Lightweight Directory Access Protocol [LDAP] servers) that can serve as the credential/policy repositories

■RADIUS servers (the PDPs)

N o t e	As you learned in “Choose Which Devices Will Play the Role of PDP” on
	page 3-79,your RADIUS servers might be instead built into edge devices.

■Proxy servers and firewalls

■ProCurve NAC 800 MSs

■ProCurve NAC 800 ESs that enforce 802.1X quarantining or act as RADIUS servers only

■Web servers

■Email servers

■Video streaming server

■Databases

Note that these central resources do not all have to be in the same location, even if you define them as part of the network core segment. For example, if you have multiple RADIUS servers to provide load balancing and redundancy, you might place them in different buildings on your campus to minimize the chance of fire or accident taking them all down at once.

Next, add the core switches. You need to provide high-capacity, Layer-3 switching to route traffic among the various VLANs. ProCurve offers several types and capacities of core-grade switches, so your decision will depend on your capacity needs. For example, you might choose the ProCurve Switch 8200zl for the central routing switches, and you might connect banks of servers to the ProCurve Switch 5400zl.

Although all these servers might be part of the network core, they need not be in the same VLAN. In the earlier planning steps, you designed server VLANs that separate resources according to the users who need to access them. As you connect servers to their switches, configure the switch ports for the correct server VLAN.

3-130

Contents

ProCurve Solutions Page Page Page 1 Access Control Concepts 2 Customer Needs Assessment Determine Risk Tolerance Evaluate the Existing Network Environment 3 Designing Access Controls Page Page 4 Other Resources AAppendix A: Glossary Index Addendum to the ProCurve Access Control Security Design Guide Page Page Access Control Concepts Page Introduction to Access Control Data Applications Blocks access from unauthorized users at each network entry Eliminates frustrations created by piecemeal Page Network Access Control Technologies Authentication, authorization, and accounting Endpoint integrity Authorization Authentication Factors Something the user knows has Authentication Protocols N o t e Page Page Access request generator Access decision enforcer Translator Examples of RADIUS Servers Microsoft IAS (Windows Server Juniper Steel-Belted Radius Local Policy Repository Remote Policy Repository Figure 1-1.Network Access Control Architecture MAC authentication (MAC-Auth) Web authentication (Web-Auth) Process Figure 1-2.The MAC-AuthProcess Local MAC-Auth Page Figure 1-3.The Web-AuthProcess Page Figure 1-4.The 802.1X Process ■MAC-Auth—None Page Page EAP-Message Digest 5 (MD5) Lightweight EAP (LEAP) EAP-Tunneled TLS (TTLS) Protected EAP (PEAP) EAP-Generic Token Card (GTC) RADIUS Messages Access request challenge Access reject Page Page Page Page Page Management Default Unauthorized User Server Test Infected Page ■Security Settings ■Software ■Operating System ■Browser Security Policy Pre-connect Post-connect Permanent Agents Minimal impact on users Control Deployment Memory consumed on Transient Agents Ease of deployment Minimal impact on users and Unsupported Requirements on the application Combined Solutions Transient-agent Agentless Unknown Healthy Check-up DHCP Inline WAN A wireless network ProCurve NAC Process for 802.1X Quarantining (Endpoint Integrity Only). The Page Process for DHCP Quarantining Page Page Page Process for Inline Quarantining Page Process for 802.1X Quarantining Figure 1-5.The User Authenticates and Is Placed in the Test VLAN Figure 1-6.The NAC 800 Tests the User and Forces the User to Re-authenticate Figure 1-7.The User Re-authenticatesand Is Placed in the Appropriate VLAN ProCurve IDM Page Page Customer Needs Assessment Page Page Page Types of Users Page Page Table 2-1.Network Users Types of Connections Table 2-2.Network Users Page Figure 2-1.Wireless and Wired Zones Private wired zone Private wireless Public wireless Private remote Figure 2-2.Access Control Zones Page Determine Risk Tolerance Sarbanes-Oxley Health Insurance Portability and Accounting Act Gramm-Leach-Bliley Act (GLBA) ■Federal Information Security Management Act of (FISMA) Payment Card Industry Data Security Standard (PCI Lagging organizations Normative Vulnerability to Attacks Page Adware Spyware Rootkits Trojan Horses Viruses Worms ProCurve’s Virus Throttle™ Intrusion detection system (IDS)/intrusion prevention system ProCurve Network Immunity Evaluate the Existing Network Environment Table 2-3.Recording Information about Network Switches Figure 2-3.The AP as a Supplicant Table 2-4.Recording Information about APs Page Table 2-5.Recording Information about Workstations and Laptops Table 2-6.Recording Information about Other Endpoints Page Figure 2-4.Sample Network Diagram Determine Your Endpoint Integrity Requirements ■Browser Security Policy—Windows ■Security Settings—Windows ■Operating System—Windows Intranet Trusted Restricted Internet High Table 2-7.Default Settings for Internet Explorer Zones Page Networks to which the endpoint Security settings for macros Local security settings The Human Factor Page Page Page Designing Access Controls Page Page Page Comprehensive Security Policy Page Goals Audience Roles and responsibilities Business Page Figure 3-1.Diagram of the PCU Campus Dormitories Classrooms Plaza Remote access Figure 3-2.PCU Campus Zones Figure 3-3.Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control Methods Page Table 3-2.Security Concerns by Zone Page Page Table 3-3.Wireless Security Public Wireless Zones Private Wireless Zones Credentials Page Table 3-5.Level of Technical Knowledge Access Control Method by User Sophistication Level Access Control Method by User Type and Sophistication Access Control Method by Administrative Workload Table 3-9.Endpoint Compatibility of Access Control Methods Table 3-10.Configuration of PCU’s Endpoints Table 3-11.Access Control Method by Endpoint Capabilities Table 3-12.Administrative Control Levels Table 3-13.Access Control Method by Administrative Control Level Table 3-14.Authentication Method by Administrative Control Table 3-15.Network Access Control Capabilities of ProCurve Edge Switches Table 3-17.Access Control Method by Existing Infrastructure Page Table 3-18.Network Access Control Capabilities of ProCurve Edge Switches Table 3-19.Access Control Methods by Feasibility Table 3-20.Preliminary Decisions for the Access Control Method Table 3-21.Preliminary Decisions for the Access Control Method Table 3-22.Access Control Methods for Each Zone Make Decisions about Remote Access (VPN) Table 3-23.Disadvantages of Remote Access Table 3-24.Advantages of Remote Access Table 3-25.Options for VPN Protocols Page Table 3-26.Selecting VPN Options Based on Security Needs Page Table 3-27.Selecting VPN Options Based on User Type and Sophistication Page Table 3-28.Selecting VPN Options Based on Administrative Workload and IT Budget Table 3-29.Endpoint Compatibility for Remote Access Table 3-30.Selecting VPN Options Based on Endpoint Table 3-31.Selecting VPN Options Based on Existing Network Infrastructure Table 3-32.Preliminary Decisions for VPN Options Table 3-33.PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Page Table 3-34.Options for Endpoint Integrity Deployment Method by Access Control Method Table 3-35.Deployment Method by Access Control Method Page Table 3-36.Security Level of Deployment Methods Table 3-37.Deployment Method by Security Table 3-38.Deployment Method by Existing Network Infrastructure Table 3-39.Deployment Method by Connection Type Table 3-40.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-41.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-42.Deployment Method by Zone Choose Endpoint Integrity Testing Methods Table 3-43.Summary of Testing Methods Automatically before Automatically at initial Figure 3-4.InstallShield Wizard for the NAC EI Agent Manually Page Configured in cluster Submitted by the end-user C a u t i o n Page Page Page >Testing methods Page Page Table 3-44.Testing Method by Control over Endpoints Example Table 3-45.Testing Method by Administrative Control Table 3-46.Testing Methods by Post-ConnectTesting Table 3-47.Testing Method by Post-ConnectTesting Table 3-48.Testing Method by User Sophistication Table 3-49.Testing Methods for User Sophistication Table 3-50.Testing Methods by Administrative Workload Table 3-51.Testing Methods for Administrative Workload Table 3-52.Testing Method by Network Overhead Table 3-53.Preliminary Decisions for Testing Methods Table 3-54.Preliminary Decisions for Testing Method Choose RADIUS Servers Figure 3-8.Network Authentication Architecture Authenticate Authorize Create accounting records Table 3-55.General Combination Integrated Table 3-56.Integrated Server Combination server/proxy Table 3-57.Integrated Server/Proxy Combination Integrated server/proxy to turnkey Table 3-59.Integrated Server/Proxy to Turnkey Server Combination Fully integrated Table 3-60.Fully Integrated Combination Table 3-63.Number of Users for Access Control Component Combinations Table 3-64.Scalability of Access Control Component Combinations Table 3-65.Access Control Component Combinations Single-site autonomous fully distributed centralized Table 3-66.Access Control Architecture Options for Component Combinations Table 3-67.RADIUS Server Locations (Centralizing Policies) Table 3-68.RADIUS Server Locations (Eliminating Inter-SiteTraffic) Table 3-69.RADIUS Server Locations (Reducing Inter-SiteTraffic) Table 3-70.RADIUS Server Locations for PCU Providing Redundancy Improving Performance Page Page Page Page Page Table 3-71.General Combination for the NAC Table 3-72.Integrated Server/Proxy for the NAC Table 3-73.Turnkey Server Combination for the NAC Table 3-74.Integrated Server/Proxy to Turnkey Combination for the NAC Page Add ProCurve IDM Page Page Select an EAP Method for Figure 3-10.EAP Method Decision Flowchart Page Table 3-75.EAP Methods Supported by 802.1X Supplicants Table 3-76.EAP Methods Supported by RADIUS Servers Page Finalize Security Policies Table 3-77.Final Security Policy by Zone Table 3-78.Example Security Policy by Zone Page Table 3-79.Access Profiles assignment Table 3-80.Dynamic VLANs Table 3-81.Dynamic VLANs for PCU Allowed resources Table 3-82.Resources by Entire VLAN Table 3-83.Resources Table 3-84.PCU Resources by VLAN Table 3-85.PCU Resources Table 3-86.Resources Allowed in Access Profiles Table 3-87.Resources Allowed in PCU Access Profiles Rate limits and QoS Table 3-88.Resources Allowed in Access Profiles Access Policy Group Rules Normal access rights Limited access Table 3-89.Access Policy Group Rules Table 3-90.Sample Access Policy Group Rules for PCU Page Table 3-91.RADIUS Attributes in Access Requests Table 3-92.Authentication Protocols for My Policies Table 3-93.Dynamic Settings for My Policies Domains Hardware Workgroups Tests for Minimal Endpoint Integrity. All endpoints should be free of Table 3-94.Tests for Minimal Endpoint Integrity Table 3-95.Tests for Minimal Endpoint Integrity Table 3-96.Tests for Medium Endpoint Integrity Page Table 3-98.Macro Security Tests Table 3-99.Other Tests for Hotfixes Table 3-100.Windows Automatic Updates Table 3-101.Tests for Applications Table 3-102.Tests for Services Table 3-103.Tests for Shared Connections Table 3-104.Tests on Mac Airport Page Table 3-105.Test for Windows Startup Registry Entries Lay Out the Network Page Figure 3-11.Adding Switches and VLANs to the Core Resources Access Control Method Guest Access VLAN Assignment and Other Dynamic Settings. You can set up the Endpoint Integrity Table 3-106.Public Wired Zone Policies Choose Switches Table 3-107.Network Access Control Capabilities of ProCurve Edge Switches Table 3-108.Public Wireless Zone Policies Encryption Choose APs Table 3-109.Capabilities of ProCurve Wireless Products Table 3-110.Authentication and Encryption Supported by ProCurve Wireless Products Table 3-111.PoE Requirements on ProCurve RPs and APs Table 3-112.ProCurve Products That Support PoE Page Table 3-113.Private Wired Zone Policies VLAN Assignment and Other Dynamic Settings. A successfully authen Table 3-114.Network Access Control Capabilities of ProCurve Edge Switches Table 3-115.Private Wireless Zone Policies Page Page Table 3-116.VPN Capabilities of the ProCurve Secure Router 7000dl Series Table 3-117.VPN Capabilities of the ProCurve VPN Client Page Integrating all Parts of the Network Design Page Page Other Resources Implementation Table 4-1.Elements of Each Access Control Solution Page Appendix A: Glossary See also DHCP deployment method and inline deployment method 802.1X quarantine NAC policy integrity posture inline quarantine method access grace period access method access mode enforcement cluster ADSL adware AEA IDM symmetric key IPsec ESP asymmetric TACACS+ endpoint integrity AVP back door biometrics Bluetooth BSD public key private key certificate See CA. authority Challenge See CHAP Handshake symmetric IPSec digital certificate See certificate DNS domain EAPOL EAP-GTC EAP-TLS certificate authentication EAP-TTLS enforcement See ES. server NAC policies Ethernet ports inline deployment method DCHP deployment method hash HMAC MAC IAS IGMP access control state access grace period JavaScript ISMI L2TP lightweight See LDAP. directory access protocol load balancing managed endpoint management See MS. server MS-CHAP NAC NAC policy group NAS NAT NAT-T NAT network access network access See NAC. controller network access See NAS. server PCM PDA PDP PEAP PKI policy repository post-connect posture See integrity posture PPTP pre-connect quarantine quarantine all deployment method quarantine subnet radio port See RP RC4 SSL remote mirroring remote procedure See RPC. call rootkit SHA-1 shared secret smart card smart phone asymmetric keys Telnet testing methods NAC agent test method ActiveX test method agentless test method Trojan virus worm TTLS unmanaged VoIP VSA Wireless Edge Services Module WMI WPA WPA-PSK Xauth Xsupplicant 802.1X supplicant RADUIS zero-day Page Numerics Page Page Page Page Page Page Page Addendum to the ProCurve Access Control Security Design Guide Page Page ProCurve Access Control Solution Adaptive access control with endpoint Adaptive EDGE capabilities Endpoint integrity checking Adaptive access Access Control with Endpoint Page Page Page Figure A-2.DHCP Plug-in Deployment—SingleNAC 800 and Multiple DHCP Servers ■Better synchronization with Microsoft Active Directory (AD) Integration with NPS and NAP Secure Access Wizard Microsoft NAP Figure A-3.NAP Architecture ■NAP client ■NAP enforcement point ■NAP health policy server (NPS) ■Health requirement servers ■Restricted network ■Remediation servers ■Active Directory domain service IPsec NAP EAPHost NAP VPN NAP DHCP NAP Figure A-4. Client-SideNAP Architecture HRA Table A-2.NAP ECs and Corresponding NAP Enforcement Points Page Figure A-5. IPsec-Protectedand Unprotected Communications Secure Boundary Figure A-6.HRA Network Access Figure A-7.DHCP Network Access Figure A-8.VPN Network Access Figure A-9.IEEE 802.1X Network Access Figure A-10.Relationship of NAP Clients to Remediation Servers Figure A-11.Relationship between NPS and Health Requirement Servers Updating the Access Control Design Process Microsoft Network Access Protection Table A-3.Options for Endpoint Integrity Solution by Existing Network Environment Examples Page Page Table A-6.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-7.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-8.Preliminary Decisions for the Endpoint Integrity Deployment Method