Manuals
/
HP
/
Computer Equipment
/
Software
HP
Access Control Client Software
manual
ProCurve Access Control Security
Models:
Access Control Client Software
1
3
338
338
Download
338 pages
18.69 Kb
1
2
3
4
5
6
7
8
Network Diagram
Zone Default Setting
Administrative Workload
Wireless Authentication
Designing Access Controls
Remote procedure See RPC. call
Security Settings
Weight
Testing Methods
Authorization
Page 3
Image 3
ProCurve Access Control Security
April 2008
Design Guide
2.1.XX
Page 2
Page 4
Page 3
Image 3
Page 2
Page 4
Contents
ProCurve Solutions
Page
ProCurve Access Control Security
Applicable ProCurve Products
Contents
Customer Needs Assessment
Evaluate the Existing Network Environment
Designing Access Controls
Endpoint Capabilities and Administrative Control
Page
Appendix a Glossary Index
Page
Page
Page
Contents
Access Control Concepts
Access Control Concepts
Introduction to Access Control
Network Access Control
Access Control Concepts
AAA
Network Access Control Technologies
Authentication
Authorization
T e
NAS ID
Accounting
Network Access Control Architecture
Endpoint
Policy Enforcement Point PEP
Policy Decision Point PDP
Access Control Concepts
Policy Repository
Network Access Control Architecture
Network Access Control Process
MAC-Auth
Authentication-Based Network Access Control Methods
Introduce security vulnerablities
MAC-Auth Process
Web-Auth
Web-Auth Process
802.1X
802.1X Process
Authentication Protocols
Authentication Requirements
MAC-Auth-None
PAP
EAP
MS-CHAPv2
Access Control Concepts
Access Control Concepts
Radius
NAS ID
Wireless Authentication
802.11
T e
Dynamic WEP
Static Wired Equivalent Privacy WEP
WPA/WPA2
VLANs
Access Control Rights-Dynamic Settings
Devices
ACLs
Endpoint Integrity Policies
Endpoint Integrity
Operating System
Pre-connect and Post-connect Testing
Security Settings
Software
Testing Methods
Access Control Concepts
Endpoint Requirements for Integrity Checking
WMI
Quarantine Methods
Endpoint Integrity Posture
User’s assignment and places him or her in a quarantine Vlan
T e
ProCurve NAC
NAC 800 as an Endpoint Integrity Only Solution
Process for 802.1X Quarantining Endpoint Integrity Only.
802.1X Deployment
With each other
Dhcp Deployment
T e
IP address = 192.168.8.1/24 IP address = 192.168.9.1/24
Inline Deployment Method
NAC 800 as a RADIUS-Only Solution
NAC 800 as Both a Radius Server and an Endpoint Integrity
Solution
Access Control Concepts
User Authenticates and Is Placed in the Test Vlan
Access Control Concepts
User Re-authenticates and Is Placed in the Appropriate Vlan
Wlan
ProCurve IDM
IAS, and the IDM agent on the same Windows Server
Radius Process with IDM
Customer Needs Assessment
Customer Needs Assessment
Overview
Customer Needs Assessment
Employees
Types of Users
Guests
Temporary Employees
Network Skills
Network Users
Recording Information about Users
Wired Connections
Wireless Connections
Types of Connections
Group Permitted Connections Access Times Network Resources
Remote Connections
Recording the Types of Connections Available to Users
Access Control Zones
Wireless and Wired Zones
Access Control Zones
Customer Needs Assessment
Determine Risk Tolerance
Regulations
Federal Information Security Management Act
Quantify Your Company’s Risk Tolerance
Regulatory Compliance
Internal Attacks
Vulnerability to Attacks
Attack Vectors
External Attacks
Types of Attacks
Malware
Viruses and Worms
Customer Needs Assessment
Customer Needs Assessment
Evaluate the Existing Network Environment
Size
Edge Devices
Model Number Version Supported Monitoring Spanning
Recording Information about Network Switches
Switch Vendor Firmware Location
Port Mirroring
AP as a Supplicant
Endpoints
Workstations and Laptops
Recording Information about APs
Customer Needs Assessment
Workstation System Network
Other Endpoints
Recording Information about Workstations and Laptops
Laptop or Quantity User Operating Applications
Directory Service
Radius Servers
Recording Information about Other Endpoints
Subnets and VLANs
Routing Information
Dchp Servers
Sample Network Diagram
Network Diagram
Browser Security Policy-Windows
Determine Your Endpoint Integrity Requirements
Customer Needs Assessment
Select Security Settings for Your Company
Default Settings for Internet Explorer Zones
Zone Default Setting
Security Settings-OS
Security Settings-Windows
Operating System-Windows
Software-Windows
Control over Network Resources
Human Factor
Users’ Cooperation
IT Department Workload
Customer Needs Assessment
Customer Needs Assessment
Designing Access Controls
Designing Access Controls
Endpoint Capabilities and Administrative Control
Select an EAP Method for 802.1X
106
Comprehensive Security Policy
Components
Designing Access Controls
Example Network
Process of Designing Access Control Security
Diagram of the PCU Campus
Designing Access Controls
PCU Campus Zones
Network Infrastructure Divided into Access Zones
Advantages and Disadvantages of Access Control Methods
Choose the Access Control Methods
Endpoints that access
High
High effort to
Network Access Zones Security
Security Concerns by Zone
Security Zone Private Public
Wired Zone Security Concerns
WEP
Wireless Zone Security Concerns
WPA/WPA2 Tkip CCMP-AES
Wireless Security
Web-Auth None by default
Do your endpoints have 802.1X supplicants?
Vulnerability and Risk Tolerance
Example
Selecting an Access Control Method Based on Security Needed
Technical Knowledge Characteristics
User Type and Sophistication
MAC-Auth Web-Auth 802.1X
Access Control Method by User Sophistication Level
Access Control Method by User Type and Sophistication
Administrative Workload
Endpoint Compatibility of Access Control Methods
Access Control Method by Administrative Workload
Hardware Type of Interface Operating System
10. Configuration of PCU’s Endpoints
11. Access Control Method by Endpoint Capabilities
Administrative Control over Endpoints
12. Administrative Control Levels
13. Access Control Method by Administrative Control Level
Description
14. Authentication Method by Administrative Control
Switch Series MAC-Auth Web-Auth 802.1X
Network Infrastructure Devices
New capabilities for these wireless products
17. Access Control Method by Existing Infrastructure
ProCurve Product Software Version MAC-Auth Web-Auth 802.1X
Network Infrastructure Devices as 802.1X Supplicants
Bringing All of the Factors Together
ProCurve Switches 802.1X Supplicant
Them
19. Access Control Methods by Feasibility
Factor Weight Private Wired Public Wired
20. Preliminary Decisions for the Access Control Method
21. Preliminary Decisions for the Access Control Method
Make Decisions about Remote Access VPN
22. Access Control Methods for Each Zone
Zone Access Control Method
Decide Whether to Grant Remote Access
23. Disadvantages of Remote Access
Disadvantages Mitigating Factors
24. Advantages of Remote Access
Select VPN Options
Advantages Explanation
25. Options for VPN Protocols
DSA
Vulnerability and Risk Assessment
26. Selecting VPN Options Based on Security Needs
They have?
Router or firewall
Administrative Workload and IT Budget
Designing Access Controls
Native Capabilities With VPN Client
29. Endpoint Compatibility for Remote Access
30. Selecting VPN Options Based on Endpoint
Existing Network Infrastructure
Bringing All Factors Together
32. Preliminary Decisions for VPN Options
33. PCU’s Preliminary Decisions for VPN Options
Choose the Endpoint Integrity Deployment Method
Access Control Method
MAC-Auth
Vulnerability to Risks and Risk Tolerance
35. Deployment Method by Access Control Method
Designing Access Controls
37. Deployment Method by Security
Factor Private Wired Public Wired
Public Wireless Remote
36. Security Level of Deployment Methods
Wireless
Connection Type
38. Deployment Method by Existing Network Infrastructure
Wireless Connection type Inline
Bringing the Factors Together
39. Deployment Method by Connection Type
Factor Weight Private Wired Public Wired Remote Wireless
42. Deployment Method by Zone
Zone Deployment Method
Choose Endpoint Integrity Testing Methods
43. Summary of Testing Methods
Testing Method Advantages Disadvantages
NAC EI Agent
Requirements for Testing Methods
InstallShield Wizard for the NAC EI Agent
Advantages and Disadvantages of NAC Agent Testing
Requirements for ActiveX Testing
ActiveX
Agentless
Advantages and Disadvantages of ActiveX Testing
Deciding Which Testing Methods to Enable
Requirements for Agentless Testing
Advantages and Disadvantages of Agentless Testing
Transparent Testing
Designing Access Controls
Testing methods
Testing with User Interaction
Designing Access Controls
Administrative Control over Endpoints
Factors to Consider for Testing Methods
Private Wireless Remote
44. Testing Method by Control over Endpoints
45. Testing Method by Administrative Control
Factor Public Wired Private Wired
46. Testing Methods by Post-Connect Testing
Post-Connect Testing
User Sophistication
47. Testing Method by Post-Connect Testing
48. Testing Method by User Sophistication
49. Testing Methods for User Sophistication
Private Remote Wireless
Administrative Workload
50. Testing Methods by Administrative Workload
Agentless ActiveX NAC IE Agent
Network Overhead
51. Testing Methods for Administrative Workload
Bringing All of the Factors Together
52. Testing Method by Network Overhead
53. Preliminary Decisions for Testing Methods
Factor Public Wired
54. Preliminary Decisions for Testing Method
Choose Radius Servers
Network Authentication Architecture
Choose Which Devices Will Play the Role of PDP
Radius Servers in a Network Without Endpoint Integrity
58. Turnkey Server
55. General Combination
56. Integrated Server Combination
57. Integrated Server/Proxy Combination
PEPs with Built-in PDPs and Policy/Credential Repositories
60. Fully Integrated Combination
61. Alternate Integrated Server/Proxy Combination
PEPs with Built-in PDPs
Users Combination Wired Per LAN Wireless Per LAN Total WAN
Least Scalable
64. Scalability of Access Control Component Combinations
65. Access Control Component Combinations
Most Scalable
Choose an Access Control Architecture
Designing Access Controls
67. Radius Server Locations Centralizing Policies
68. Radius Server Locations Eliminating Inter-Site Traffic
69. Radius Server Locations Reducing Inter-Site Traffic
70. Radius Server Locations for PCU
Determine the Number of Radius Servers
Choose Your Radius Servers and Finalize the Plan
Radius Server Decision Tree
Designing Access Controls
Does your organization already use IAS for other functions?
IAS as the Radius Server
NAC 800 as the Radius Server
71. General Combination for the NAC
72. Integrated Server/Proxy for the NAC
73. Turnkey Server Combination for the NAC
Wireless Edge Services Module Database
Designing Access Controls
Add ProCurve IDM
IDM Overview
Determine If You Need IDM
Design Parameters for a Network with IDM
Add Users
Create Access Policy Groups
Select an EAP Method for
10. EAP Method Decision Flowchart
Designing Access Controls
Supplicant
75. EAP Methods Supported by 802.1X Supplicants
76. EAP Methods Supported by Radius Servers
EAP-TNC EAP-LEAP Not
Server
Designing Access Controls
78. Example Security Policy by Zone
Finalize Security Policies
User Groups and Policies
77. Final Security Policy by Zone
Access Group Policies with IDM
80. Dynamic VLANs
79. Access Profiles
Access Profile
Access Profiles
81. Dynamic VLANs for PCU
Resource IP Address Protocol
82. Resources by Entire Vlan
83. Resources
Resource Vlan ID Subnet Address
85. PCU Resources
84. PCU Resources by Vlan
Access Profile Resources
86. Resources Allowed in Access Profiles
Access Profile Resource
87. Resources Allowed in PCU Access Profiles
Faculty Web servers, white pages Library catalog and printer
Resources Rate Limit QoS
88. Resources Allowed in Access Profiles
Outputs-Access Profile
89. Access Policy Group Rules
90. Sample Access Policy Group Rules for PCU
Access Policy Inputs Group Location Time System
Access Policies without IDM
Attribute Explanation Value for My Policy
91. Radius Attributes in Access Requests
92. Authentication Protocols for My Policies
93. Dynamic Settings for My Policies
Attribute Policy 1-Setting Policy 2-Setting
Design NAC Policy Groups
Create the NAC Policies
Design NAC Policies
95. Tests for Minimal Endpoint Integrity
94. Tests for Minimal Endpoint Integrity
Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall
96. Tests for Medium Endpoint Integrity
Browser? Enter the required versions in Table
97. Web Browser Tests Test Settings Mozilla Firefox
Windows Media Mac QuickTime IIS
98. Macro Security Tests
99. Other Tests for Hotfixes
Microsoft Excel Microsoft Outlook
100. Windows Automatic Updates
101. Tests for Applications
Options Your selection
Windows Bridge Network Connection Mac Internet Sharing
102. Tests for Services
103. Tests for Shared Connections
104. Tests on Mac Airport
Specified as allowed
Lay Out the Network
Core Resources
105. Test for Windows Startup Registry Entries
T e
Public Wired Zone
Access Zones for Endpoints
Vlan Assignment and Other Dynamic Settings. You can set up
133
106. Public Wired Zone Policies
108. Public Wireless Zone Policies
Public Wireless Zone
Designing Access Controls
Product Software Version Radios Modes WLANs
109. Capabilities of ProCurve Wireless Products
Software Authentication
EAP Method for
Version Methods 802.1X
112. ProCurve Products That Support PoE
111. PoE Requirements on ProCurve RPs and APs
Lay Out the Network
113. Private Wired Zone Policies
Private Wired Zone
Might otherwise be ignored
Private Wireless Zone
115. Private Wireless Zone Policies
MS-CHAPv2
Remote Zone
Designing Access Controls
3DES
Module VPN Protocol Maximum Encryption
Number
Tunnels
117. VPN Capabilities of the ProCurve VPN Client
Combining Access Control Zone Designs
Adjacent Zones
Overlapping Zones
Designing Adjacent and Overlapping Zones
Integrating all Parts of the Network Design
Adding Access Control to an Existing Network
Migrating from One Solution to Another
150
ProCurve Elite Partners
Services and Support
Other Resources
Implementation
Elements Solution
Elements of Each Access Control Solution
Other Resources
Numeric
Appendix a Glossary
See also Dhcp deployment method and inline deployment method
Appendix a Glossary
Access point See AP
Agent See NAC EI agent
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Digital certificate See certificate
EI See endpoint integrity
Enforcement See ES. server
Extensible See EAP Authentication Protocol GTC See EAP-GTC
Inline quarantine method
Appendix a Glossary
Lightweight See LDAP. directory access Protocol
Management See MS. server
Mirroring, remote See remote mirroring
Appendix a Glossary
Appendix a Glossary
Peer-to-peer
Permanent agent
PoE
Posture See integrity posture
Pre-shared key See PSK
Public key See PKI. infrastructure
Radio port See RP
Remote procedure See RPC. call
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Appendix a Glossary
Html
Appendix a Glossary
Appendix a Glossary
Index
See DNS
EAP … 1-21, 1-25, 1-53 EAP GTC …
See Imsi
OS-X
See SOX security policies
TLS
See WEP
Contents
Contents
Overview
ProCurve Access Control Solution
Enhancements to the ProCurve Access Control Solution
Deep Check Testing
ProCurve NAC
SMB Signing
Post-Connect NAC Testing
Integration with Microsoft SMS
Support for Rdac
Dhcp Plug-in Deployment
Better synchronization with Microsoft Active Directory
Identity Driven Manager
ProCurve Access Control Solution
NAP Components
Microsoft NAP
NAP enforcement point
NAP client
Restricted network
Active Directory domain service
NAP health policy server NPS
Health requirement servers
NAP Agent
NAP Client Architecture
NAP Enforcement Clients ECs
System Health Agents SHAs
Figure A-4. Client-Side NAP Architecture
NAP Server Architecture
NAP Enforcement Point
Table A-2. NAP ECs and Corresponding NAP Enforcement Points
NAP Enforcement Point
Network Access Methods
Health Requirement Servers
IPsec
Figure A-5. IPsec-Protected and Unprotected Communications
Figure A-6. HRA Network Access
Dhcp
802.1X Authentication
VPN Access
Figure A-9. Ieee 802.1X Network Access
Remediation and Health Requirement Servers
Updating the Access Control Design Process
Existing Network Environment
Choose the Endpoint Integrity Solution
Existing Network Environment Option
Vulnerability to Risks and Risk Tolerance
Risk Tolerance
Management Resources
Interoperability Requirements
Factor Weight Selection
Bringing the Factors Together
Interoperability Option Requirements
Choose the Endpoint Integrity Deployment Method
Updating the Access Control Design Process
Updating the Access Control Design Process
Top
Page
Image
Contents