Manuals / HP / Computer Equipment / Software

HP Access Control Client Software manual Tls

Models: Access Control Client Software

1 338

Download 338 pages 18.69 Kb

Page 303

T

TACACS+ … 1-6 telephones … 2-30 testing

access control … 1-37

administrative control as a factor … 3-69 administrative workload as a factor … 3-74 agentless … 1-40, 1-41

endpoint … 1-42

medium endpoint integrity … 3-123 minimal endpoint integrity … 3-122 network overhead … 3-75 post-connect … 1-37, 3-71 pre-connect … 1-37 requirements

ActiveX … 3-62 agentless … 3-64 NAC EI agent … 3-61

rigorous endpoint integrity … 3-123 See also testing methods selecting … 3-124

selection factors for methods … 3-69 transparent … 3-65

user interaction … 3-67

user sophistication as a factor … 3-72 Web browsers … 3-124

testing methods … 1-38 ActiveX … 3-62 agentless … 2-37, 3-63 enabling … 3-64 NAC EI agent … 3-60

operation of, on NAC 800 … 3-65 selecting … 3-59

TKIP … 1-32

TLS

See EAP-TLS token card … 1-7 transport level security

See EAP-TLS Trojan horses … 2-21

TTLS

See EAP-TTLS tunneled TLS

See EAP-TTLS

U

Unknown

See endpoint integrity, posture user sophistication

access control methods … 3-22 remote access … 3-42 testing methods … 3-72

user types employees … 2-5 guests … 2-6 temporary … 2-6

users

sophistication level … 2-7

V

Virus Throttle software, ProCurve … 2-23 viruses … 2-22

VLANs … 1-9, 1-17, 1-20, 1-22, 1-33, 1-53, 2-32 assignment … 3-108, 3-132, 3-136, 3-141, 3-143 dynamic … 1-33, 3-109

quarantine … 1-35, 1-43, 1-47, 1-54 quarantine subnet … 1-50

voice over IP (VoIP) … 1-17, 2-30 VPN … 1-44, 2-32

client

selecting … 3-144 encryption … 3-144 gateway

selecting … 3-144 options for … 3-39 protocol … 3-144

selecting options for … 3-36, 3-38

W

WANs … 1-44 Web browser

tests … 3-124 Web-Auth … 1-19, 2-27, 3-19

advantages of … 3-13 disadvantages of … 3-13 endpoint integrity and … 3-51

Index – 7

Image 303

HP Access Control Client Software manual Tls

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Contents Access Control ConceptsAccess Control Concepts Introduction to Access Control Network Access Control Access Control Concepts AAA Network Access Control TechnologiesAuthentication Authorization T e NAS ID AccountingNetwork Access Control Architecture EndpointPolicy Enforcement Point PEP Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Architecture Network Access Control ProcessMAC-Auth Authentication-Based Network Access Control MethodsIntroduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process Authentication Protocols Authentication RequirementsMAC-Auth-None PAP EAP MS-CHAPv2Access Control Concepts Access Control Concepts Radius NAS ID Wireless Authentication 802.11T e Dynamic WEP Static Wired Equivalent Privacy WEPWPA/WPA2 VLANs Access Control Rights-Dynamic SettingsDevices ACLs Endpoint Integrity Policies Endpoint IntegrityOperating System Pre-connect and Post-connect TestingSecurity Settings SoftwareTesting Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Quarantine Methods Endpoint Integrity PostureUser’s assignment and places him or her in a quarantine Vlan T e ProCurve NAC NAC 800 as an Endpoint Integrity Only SolutionProcess for 802.1X Quarantining Endpoint Integrity Only. 802.1X DeploymentWith each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution NAC 800 as Both a Radius Server and an Endpoint Integrity SolutionAccess Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan Wlan ProCurve IDMIAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Employees Types of UsersGuests Temporary EmployeesNetwork Skills Network Users Recording Information about UsersWired Connections Wireless ConnectionsTypes of Connections Group Permitted Connections Access Times Network Resources Remote ConnectionsRecording the Types of Connections Available to Users Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Quantify Your Company’s Risk Tolerance Regulatory ComplianceInternal Attacks Vulnerability to AttacksAttack Vectors External AttacksTypes of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Evaluate the Existing Network Environment SizeEdge Devices Model Number Version Supported Monitoring Spanning Recording Information about Network SwitchesSwitch Vendor Firmware Location Port MirroringAP as a Supplicant Endpoints Workstations and LaptopsRecording Information about APs Customer Needs Assessment Workstation System Network Other EndpointsRecording Information about Workstations and Laptops Laptop or Quantity User Operating ApplicationsDirectory Service Radius ServersRecording Information about Other Endpoints Subnets and VLANs Routing InformationDchp Servers Sample Network Diagram Network DiagramBrowser Security Policy-Windows Determine Your Endpoint Integrity RequirementsCustomer Needs Assessment Select Security Settings for Your Company Default Settings for Internet Explorer ZonesZone Default Setting Security Settings-OS Security Settings-WindowsOperating System-Windows Software-Windows Control over Network Resources Human FactorUsers’ Cooperation IT Department WorkloadCustomer Needs Assessment Customer Needs Assessment Designing Access Controls Designing Access Controls Endpoint Capabilities and Administrative ControlSelect an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Example Network Process of Designing Access Control SecurityDiagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Advantages and Disadvantages of Access Control Methods Choose the Access Control MethodsEndpoints that access HighHigh effort to Network Access Zones Security Security Concerns by ZoneSecurity Zone Private Public Wired Zone Security Concerns WEP Wireless Zone Security ConcernsWPA/WPA2 Tkip CCMP-AES Wireless SecurityWeb-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance Example Selecting an Access Control Method Based on Security NeededTechnical Knowledge Characteristics User Type and SophisticationMAC-Auth Web-Auth 802.1X Access Control Method by User Sophistication LevelAccess Control Method by User Type and Sophistication Administrative WorkloadEndpoint Compatibility of Access Control Methods Access Control Method by Administrative WorkloadHardware Type of Interface Operating System 10. Configuration of PCU’s Endpoints11. Access Control Method by Endpoint Capabilities Administrative Control over Endpoints12. Administrative Control Levels 13. Access Control Method by Administrative Control LevelDescription 14. Authentication Method by Administrative Control Switch Series MAC-Auth Web-Auth 802.1XNetwork Infrastructure Devices New capabilities for these wireless products 17. Access Control Method by Existing InfrastructureProCurve Product Software Version MAC-Auth Web-Auth 802.1X Network Infrastructure Devices as 802.1X Supplicants Bringing All of the Factors Together ProCurve Switches 802.1X SupplicantThem 19. Access Control Methods by FeasibilityFactor Weight Private Wired Public Wired 20. Preliminary Decisions for the Access Control Method21. Preliminary Decisions for the Access Control Method Make Decisions about Remote Access VPN 22. Access Control Methods for Each ZoneZone Access Control Method Decide Whether to Grant Remote Access 23. Disadvantages of Remote AccessDisadvantages Mitigating Factors 24. Advantages of Remote Access Select VPN OptionsAdvantages Explanation 25. Options for VPN Protocols DSA Vulnerability and Risk Assessment26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls Native Capabilities With VPN Client 29. Endpoint Compatibility for Remote Access30. Selecting VPN Options Based on Endpoint Existing Network InfrastructureBringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Access Control MethodMAC-Auth Vulnerability to Risks and Risk Tolerance 35. Deployment Method by Access Control MethodDesigning Access Controls 37. Deployment Method by Security Factor Private Wired Public WiredPublic Wireless Remote 36. Security Level of Deployment MethodsWireless Connection Type38. Deployment Method by Existing Network Infrastructure Wireless Connection type Inline Bringing the Factors Together39. Deployment Method by Connection Type Factor Weight Private Wired Public Wired Remote Wireless 42. Deployment Method by ZoneZone Deployment Method Choose Endpoint Integrity Testing Methods 43. Summary of Testing MethodsTesting Method Advantages Disadvantages NAC EI Agent Requirements for Testing MethodsInstallShield Wizard for the NAC EI Agent Advantages and Disadvantages of NAC Agent Testing Requirements for ActiveX TestingActiveX Agentless Advantages and Disadvantages of ActiveX TestingDeciding Which Testing Methods to Enable Requirements for Agentless TestingAdvantages and Disadvantages of Agentless Testing Transparent Testing Designing Access Controls Testing methods Testing with User InteractionDesigning Access Controls Administrative Control over Endpoints Factors to Consider for Testing MethodsPrivate Wireless Remote 44. Testing Method by Control over Endpoints45. Testing Method by Administrative Control Factor Public Wired Private Wired46. Testing Methods by Post-Connect Testing Post-Connect TestingUser Sophistication 47. Testing Method by Post-Connect Testing48. Testing Method by User Sophistication 49. Testing Methods for User SophisticationPrivate Remote Wireless Administrative Workload 50. Testing Methods by Administrative WorkloadAgentless ActiveX NAC IE Agent Network Overhead 51. Testing Methods for Administrative WorkloadBringing All of the Factors Together 52. Testing Method by Network Overhead53. Preliminary Decisions for Testing Methods Factor Public Wired54. Preliminary Decisions for Testing Method Choose Radius Servers Network Authentication ArchitectureChoose Which Devices Will Play the Role of PDP Radius Servers in a Network Without Endpoint Integrity58. Turnkey Server 55. General Combination56. Integrated Server Combination 57. Integrated Server/Proxy CombinationPEPs with Built-in PDPs and Policy/Credential Repositories 60. Fully Integrated Combination61. Alternate Integrated Server/Proxy Combination PEPs with Built-in PDPsUsers Combination Wired Per LAN Wireless Per LAN Total WAN Least Scalable 64. Scalability of Access Control Component Combinations65. Access Control Component Combinations Most ScalableChoose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic 70. Radius Server Locations for PCU Determine the Number of Radius ServersChoose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls Does your organization already use IAS for other functions? IAS as the Radius ServerNAC 800 as the Radius Server 71. General Combination for the NAC 72. Integrated Server/Proxy for the NAC73. Turnkey Server Combination for the NAC Wireless Edge Services Module Database Designing Access Controls Add ProCurve IDM IDM OverviewDetermine If You Need IDM Design Parameters for a Network with IDM Add Users Create Access Policy GroupsSelect an EAP Method for 10. EAP Method Decision FlowchartDesigning Access Controls Supplicant 75. EAP Methods Supported by 802.1X Supplicants76. EAP Methods Supported by Radius Servers EAP-TNC EAP-LEAP NotServer Designing Access Controls 78. Example Security Policy by Zone Finalize Security PoliciesUser Groups and Policies 77. Final Security Policy by ZoneAccess Group Policies with IDM 80. Dynamic VLANs 79. Access ProfilesAccess Profile Access Profiles81. Dynamic VLANs for PCU Resource IP Address Protocol 82. Resources by Entire Vlan83. Resources Resource Vlan ID Subnet Address85. PCU Resources 84. PCU Resources by VlanAccess Profile Resources 86. Resources Allowed in Access ProfilesAccess Profile Resource 87. Resources Allowed in PCU Access ProfilesFaculty Web servers, white pages Library catalog and printer Resources Rate Limit QoS 88. Resources Allowed in Access ProfilesOutputs-Access Profile 89. Access Policy Group Rules90. Sample Access Policy Group Rules for PCU Access Policy Inputs Group Location Time SystemAccess Policies without IDM Attribute Explanation Value for My Policy 91. Radius Attributes in Access Requests92. Authentication Protocols for My Policies 93. Dynamic Settings for My PoliciesAttribute Policy 1-Setting Policy 2-Setting Design NAC Policy Groups Create the NAC PoliciesDesign NAC Policies 95. Tests for Minimal Endpoint Integrity 94. Tests for Minimal Endpoint IntegrityAnti-Virus Anti-Spyware Personal Firewalls Mac Firewall 96. Tests for Medium Endpoint IntegrityBrowser? Enter the required versions in Table 97. Web Browser Tests Test Settings Mozilla FirefoxWindows Media Mac QuickTime IIS 98. Macro Security Tests99. Other Tests for Hotfixes Microsoft Excel Microsoft Outlook100. Windows Automatic Updates 101. Tests for ApplicationsOptions Your selection Windows Bridge Network Connection Mac Internet Sharing 102. Tests for Services103. Tests for Shared Connections 104. Tests on Mac AirportSpecified as allowed Lay Out the Network Core Resources105. Test for Windows Startup Registry Entries T e Public Wired Zone Access Zones for EndpointsVlan Assignment and Other Dynamic Settings. You can set up 133 106. Public Wired Zone Policies108. Public Wireless Zone Policies Public Wireless ZoneDesigning Access Controls Product Software Version Radios Modes WLANs 109. Capabilities of ProCurve Wireless ProductsSoftware Authentication EAP Method forVersion Methods 802.1X 112. ProCurve Products That Support PoE 111. PoE Requirements on ProCurve RPs and APsLay Out the Network 113. Private Wired Zone Policies Private Wired ZoneMight otherwise be ignored Private Wireless Zone 115. Private Wireless Zone PoliciesMS-CHAPv2 Remote Zone Designing Access Controls 3DES Module VPN Protocol Maximum EncryptionNumber Tunnels117. VPN Capabilities of the ProCurve VPN Client Combining Access Control Zone DesignsAdjacent Zones Overlapping ZonesDesigning Adjacent and Overlapping Zones Integrating all Parts of the Network Design Adding Access Control to an Existing NetworkMigrating from One Solution to Another 150 ProCurve Elite Partners Services and SupportOther Resources ImplementationElements Solution Elements of Each Access Control SolutionOther Resources Numeric Appendix a GlossarySee also Dhcp deployment method and inline deployment method Appendix a Glossary Access point See APAgent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Enforcement See ES. server Extensible See EAP Authentication Protocol GTC See EAP-GTCInline quarantine method Appendix a Glossary Lightweight See LDAP. directory access Protocol Management See MS. serverMirroring, remote See remote mirroring Appendix a Glossary Appendix a Glossary Peer-to-peer Permanent agentPoE Posture See integrity posture Pre-shared key See PSKPublic key See PKI. infrastructure Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution Deep Check Testing ProCurve NACSMB Signing Post-Connect NAC Testing Integration with Microsoft SMSSupport for Rdac Dhcp Plug-in Deployment Better synchronization with Microsoft Active Directory Identity Driven ManagerProCurve Access Control Solution NAP Components Microsoft NAPNAP enforcement point NAP clientRestricted network Active Directory domain serviceNAP health policy server NPS Health requirement serversNAP Agent NAP Client ArchitectureNAP Enforcement Clients ECs System Health Agents SHAsFigure A-4. Client-Side NAP Architecture NAP Server ArchitectureNAP Enforcement Point Table A-2. NAP ECs and Corresponding NAP Enforcement PointsNAP Enforcement Point Network Access Methods Health Requirement ServersIPsec Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp 802.1X Authentication VPN AccessFigure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Existing Network Environment Choose the Endpoint Integrity SolutionExisting Network Environment Option Vulnerability to Risks and Risk ToleranceRisk Tolerance Management ResourcesInteroperability Requirements Factor Weight Selection Bringing the Factors TogetherInteroperability Option Requirements Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process