HP Access Control Client Software Process

Access Control Concepts

Network Access Control Technologies

	In theory, a MAC address is unique and unalterable and therefore a good
	choice for identifying whether the endpoint should be allowed access. In
	practice, however, an attacker can spoof a MAC address relatively easily.
	If you are using IAS, you might encounter another problem. MAC addresses
	do not conform to the rules for a typical user account. You must create an
	entirely new set of pseudo-user accounts, which can be tedious and might
	introduce security vulnerablities.
	Despite its flaws, MAC-Auth remains the only choice for devices that have
	neither user interfaces nor support for 802.1X.

N o t e	A device without a user interface may still support 802.1X. For example, many
	Voice-over-IP (VoIP) phones support EAP-Subscriber Identity Module (SIM)
	and include smart cards automatically configured with authentication creden-
	tials. In addition, some Hewlett-Packard (HP) printers support 802.1X.
	Process. An endpoint follows this process to connect to a network that

	enforces MAC-Auth:
	1. The endpoint connects to a PEP and begins generating traffic, typically
		Dynamic Host Configuration Protocol (DHCP) requests.
	2. The PEP observes that the traffic’s source MAC address is unauthenti-
		cated, so it drops the traffic.
	3.	The PEP generates an access request specifying the source MAC address
		as the username, and, as the password, either the same MAC address or
		a password configured on the PEP. The request also contains other
		information, such as the port, time, and so forth. The PEP forwards the
		request to an authentication server.
	4. The authentication server, acting as the PDP, verifies the MAC address
		against its own or a centrally managed data store. The authentication
		server may also retrieve policy information, such as rules for the times
		that the MAC address is allowed on the network or rules that specify
		authorization instructions (for example, a VLAN assignment).
	5.	The authentication server returns an accept or deny response to the PEP
		that is based on the results of step 4.

6. The PEP reconfigures itself dynamically to forward or block all traffic from the MAC address depending on the access decision. If the accept response included authorization instructions, the PEP configures itself to enforce them—for example, assigning the endpoint’s port to the specified VLAN.

1-17

Contents

ProCurve Solutions Page Page Page 1 Access Control Concepts 2 Customer Needs Assessment Determine Risk Tolerance Evaluate the Existing Network Environment 3 Designing Access Controls Page Page 4 Other Resources AAppendix A: Glossary Index Addendum to the ProCurve Access Control Security Design Guide Page Page Access Control Concepts Page Introduction to Access Control Data Applications Blocks access from unauthorized users at each network entry Eliminates frustrations created by piecemeal Page Network Access Control Technologies Authentication, authorization, and accounting Endpoint integrity Authorization Authentication Factors Something the user knows has Authentication Protocols N o t e Page Page Access request generator Access decision enforcer Translator Examples of RADIUS Servers Microsoft IAS (Windows Server Juniper Steel-Belted Radius Local Policy Repository Remote Policy Repository Figure 1-1.Network Access Control Architecture MAC authentication (MAC-Auth) Web authentication (Web-Auth) Process Figure 1-2.The MAC-AuthProcess Local MAC-Auth Page Figure 1-3.The Web-AuthProcess Page Figure 1-4.The 802.1X Process ■MAC-Auth—None Page Page EAP-Message Digest 5 (MD5) Lightweight EAP (LEAP) EAP-Tunneled TLS (TTLS) Protected EAP (PEAP) EAP-Generic Token Card (GTC) RADIUS Messages Access request challenge Access reject Page Page Page Page Page Management Default Unauthorized User Server Test Infected Page ■Security Settings ■Software ■Operating System ■Browser Security Policy Pre-connect Post-connect Permanent Agents Minimal impact on users Control Deployment Memory consumed on Transient Agents Ease of deployment Minimal impact on users and Unsupported Requirements on the application Combined Solutions Transient-agent Agentless Unknown Healthy Check-up DHCP Inline WAN A wireless network ProCurve NAC Process for 802.1X Quarantining (Endpoint Integrity Only). The Page Process for DHCP Quarantining Page Page Page Process for Inline Quarantining Page Process for 802.1X Quarantining Figure 1-5.The User Authenticates and Is Placed in the Test VLAN Figure 1-6.The NAC 800 Tests the User and Forces the User to Re-authenticate Figure 1-7.The User Re-authenticatesand Is Placed in the Appropriate VLAN ProCurve IDM Page Page Customer Needs Assessment Page Page Page Types of Users Page Page Table 2-1.Network Users Types of Connections Table 2-2.Network Users Page Figure 2-1.Wireless and Wired Zones Private wired zone Private wireless Public wireless Private remote Figure 2-2.Access Control Zones Page Determine Risk Tolerance Sarbanes-Oxley Health Insurance Portability and Accounting Act Gramm-Leach-Bliley Act (GLBA) ■Federal Information Security Management Act of (FISMA) Payment Card Industry Data Security Standard (PCI Lagging organizations Normative Vulnerability to Attacks Page Adware Spyware Rootkits Trojan Horses Viruses Worms ProCurve’s Virus Throttle™ Intrusion detection system (IDS)/intrusion prevention system ProCurve Network Immunity Evaluate the Existing Network Environment Table 2-3.Recording Information about Network Switches Figure 2-3.The AP as a Supplicant Table 2-4.Recording Information about APs Page Table 2-5.Recording Information about Workstations and Laptops Table 2-6.Recording Information about Other Endpoints Page Figure 2-4.Sample Network Diagram Determine Your Endpoint Integrity Requirements ■Browser Security Policy—Windows ■Security Settings—Windows ■Operating System—Windows Intranet Trusted Restricted Internet High Table 2-7.Default Settings for Internet Explorer Zones Page Networks to which the endpoint Security settings for macros Local security settings The Human Factor Page Page Page Designing Access Controls Page Page Page Comprehensive Security Policy Page Goals Audience Roles and responsibilities Business Page Figure 3-1.Diagram of the PCU Campus Dormitories Classrooms Plaza Remote access Figure 3-2.PCU Campus Zones Figure 3-3.Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control Methods Page Table 3-2.Security Concerns by Zone Page Page Table 3-3.Wireless Security Public Wireless Zones Private Wireless Zones Credentials Page Table 3-5.Level of Technical Knowledge Access Control Method by User Sophistication Level Access Control Method by User Type and Sophistication Access Control Method by Administrative Workload Table 3-9.Endpoint Compatibility of Access Control Methods Table 3-10.Configuration of PCU’s Endpoints Table 3-11.Access Control Method by Endpoint Capabilities Table 3-12.Administrative Control Levels Table 3-13.Access Control Method by Administrative Control Level Table 3-14.Authentication Method by Administrative Control Table 3-15.Network Access Control Capabilities of ProCurve Edge Switches Table 3-17.Access Control Method by Existing Infrastructure Page Table 3-18.Network Access Control Capabilities of ProCurve Edge Switches Table 3-19.Access Control Methods by Feasibility Table 3-20.Preliminary Decisions for the Access Control Method Table 3-21.Preliminary Decisions for the Access Control Method Table 3-22.Access Control Methods for Each Zone Make Decisions about Remote Access (VPN) Table 3-23.Disadvantages of Remote Access Table 3-24.Advantages of Remote Access Table 3-25.Options for VPN Protocols Page Table 3-26.Selecting VPN Options Based on Security Needs Page Table 3-27.Selecting VPN Options Based on User Type and Sophistication Page Table 3-28.Selecting VPN Options Based on Administrative Workload and IT Budget Table 3-29.Endpoint Compatibility for Remote Access Table 3-30.Selecting VPN Options Based on Endpoint Table 3-31.Selecting VPN Options Based on Existing Network Infrastructure Table 3-32.Preliminary Decisions for VPN Options Table 3-33.PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Page Table 3-34.Options for Endpoint Integrity Deployment Method by Access Control Method Table 3-35.Deployment Method by Access Control Method Page Table 3-36.Security Level of Deployment Methods Table 3-37.Deployment Method by Security Table 3-38.Deployment Method by Existing Network Infrastructure Table 3-39.Deployment Method by Connection Type Table 3-40.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-41.Preliminary Decisions for the Endpoint Integrity Deployment Method Table 3-42.Deployment Method by Zone Choose Endpoint Integrity Testing Methods Table 3-43.Summary of Testing Methods Automatically before Automatically at initial Figure 3-4.InstallShield Wizard for the NAC EI Agent Manually Page Configured in cluster Submitted by the end-user C a u t i o n Page Page Page >Testing methods Page Page Table 3-44.Testing Method by Control over Endpoints Example Table 3-45.Testing Method by Administrative Control Table 3-46.Testing Methods by Post-ConnectTesting Table 3-47.Testing Method by Post-ConnectTesting Table 3-48.Testing Method by User Sophistication Table 3-49.Testing Methods for User Sophistication Table 3-50.Testing Methods by Administrative Workload Table 3-51.Testing Methods for Administrative Workload Table 3-52.Testing Method by Network Overhead Table 3-53.Preliminary Decisions for Testing Methods Table 3-54.Preliminary Decisions for Testing Method Choose RADIUS Servers Figure 3-8.Network Authentication Architecture Authenticate Authorize Create accounting records Table 3-55.General Combination Integrated Table 3-56.Integrated Server Combination server/proxy Table 3-57.Integrated Server/Proxy Combination Integrated server/proxy to turnkey Table 3-59.Integrated Server/Proxy to Turnkey Server Combination Fully integrated Table 3-60.Fully Integrated Combination Table 3-63.Number of Users for Access Control Component Combinations Table 3-64.Scalability of Access Control Component Combinations Table 3-65.Access Control Component Combinations Single-site autonomous fully distributed centralized Table 3-66.Access Control Architecture Options for Component Combinations Table 3-67.RADIUS Server Locations (Centralizing Policies) Table 3-68.RADIUS Server Locations (Eliminating Inter-SiteTraffic) Table 3-69.RADIUS Server Locations (Reducing Inter-SiteTraffic) Table 3-70.RADIUS Server Locations for PCU Providing Redundancy Improving Performance Page Page Page Page Page Table 3-71.General Combination for the NAC Table 3-72.Integrated Server/Proxy for the NAC Table 3-73.Turnkey Server Combination for the NAC Table 3-74.Integrated Server/Proxy to Turnkey Combination for the NAC Page Add ProCurve IDM Page Page Select an EAP Method for Figure 3-10.EAP Method Decision Flowchart Page Table 3-75.EAP Methods Supported by 802.1X Supplicants Table 3-76.EAP Methods Supported by RADIUS Servers Page Finalize Security Policies Table 3-77.Final Security Policy by Zone Table 3-78.Example Security Policy by Zone Page Table 3-79.Access Profiles assignment Table 3-80.Dynamic VLANs Table 3-81.Dynamic VLANs for PCU Allowed resources Table 3-82.Resources by Entire VLAN Table 3-83.Resources Table 3-84.PCU Resources by VLAN Table 3-85.PCU Resources Table 3-86.Resources Allowed in Access Profiles Table 3-87.Resources Allowed in PCU Access Profiles Rate limits and QoS Table 3-88.Resources Allowed in Access Profiles Access Policy Group Rules Normal access rights Limited access Table 3-89.Access Policy Group Rules Table 3-90.Sample Access Policy Group Rules for PCU Page Table 3-91.RADIUS Attributes in Access Requests Table 3-92.Authentication Protocols for My Policies Table 3-93.Dynamic Settings for My Policies Domains Hardware Workgroups Tests for Minimal Endpoint Integrity. All endpoints should be free of Table 3-94.Tests for Minimal Endpoint Integrity Table 3-95.Tests for Minimal Endpoint Integrity Table 3-96.Tests for Medium Endpoint Integrity Page Table 3-98.Macro Security Tests Table 3-99.Other Tests for Hotfixes Table 3-100.Windows Automatic Updates Table 3-101.Tests for Applications Table 3-102.Tests for Services Table 3-103.Tests for Shared Connections Table 3-104.Tests on Mac Airport Page Table 3-105.Test for Windows Startup Registry Entries Lay Out the Network Page Figure 3-11.Adding Switches and VLANs to the Core Resources Access Control Method Guest Access VLAN Assignment and Other Dynamic Settings. You can set up the Endpoint Integrity Table 3-106.Public Wired Zone Policies Choose Switches Table 3-107.Network Access Control Capabilities of ProCurve Edge Switches Table 3-108.Public Wireless Zone Policies Encryption Choose APs Table 3-109.Capabilities of ProCurve Wireless Products Table 3-110.Authentication and Encryption Supported by ProCurve Wireless Products Table 3-111.PoE Requirements on ProCurve RPs and APs Table 3-112.ProCurve Products That Support PoE Page Table 3-113.Private Wired Zone Policies VLAN Assignment and Other Dynamic Settings. A successfully authen Table 3-114.Network Access Control Capabilities of ProCurve Edge Switches Table 3-115.Private Wireless Zone Policies Page Page Table 3-116.VPN Capabilities of the ProCurve Secure Router 7000dl Series Table 3-117.VPN Capabilities of the ProCurve VPN Client Page Integrating all Parts of the Network Design Page Page Other Resources Implementation Table 4-1.Elements of Each Access Control Solution Page Appendix A: Glossary See also DHCP deployment method and inline deployment method 802.1X quarantine NAC policy integrity posture inline quarantine method access grace period access method access mode enforcement cluster ADSL adware AEA IDM symmetric key IPsec ESP asymmetric TACACS+ endpoint integrity AVP back door biometrics Bluetooth BSD public key private key certificate See CA. authority Challenge See CHAP Handshake symmetric IPSec digital certificate See certificate DNS domain EAPOL EAP-GTC EAP-TLS certificate authentication EAP-TTLS enforcement See ES. server NAC policies Ethernet ports inline deployment method DCHP deployment method hash HMAC MAC IAS IGMP access control state access grace period JavaScript ISMI L2TP lightweight See LDAP. directory access protocol load balancing managed endpoint management See MS. server MS-CHAP NAC NAC policy group NAS NAT NAT-T NAT network access network access See NAC. controller network access See NAS. server PCM PDA PDP PEAP PKI policy repository post-connect posture See integrity posture PPTP pre-connect quarantine quarantine all deployment method quarantine subnet radio port See RP RC4 SSL remote mirroring remote procedure See RPC. call rootkit SHA-1 shared secret smart card smart phone asymmetric keys Telnet testing methods NAC agent test method ActiveX test method agentless test method Trojan virus worm TTLS unmanaged VoIP VSA Wireless Edge Services Module WMI WPA WPA-PSK Xauth Xsupplicant 802.1X supplicant RADUIS zero-day Page Numerics Page Page Page Page Page Page Page Addendum to the ProCurve Access Control Security Design Guide Page Page ProCurve Access Control Solution Adaptive access control with endpoint Adaptive EDGE capabilities Endpoint integrity checking Adaptive access Access Control with Endpoint Page Page Page Figure A-2.DHCP Plug-in Deployment—SingleNAC 800 and Multiple DHCP Servers ■Better synchronization with Microsoft Active Directory (AD) Integration with NPS and NAP Secure Access Wizard Microsoft NAP Figure A-3.NAP Architecture ■NAP client ■NAP enforcement point ■NAP health policy server (NPS) ■Health requirement servers ■Restricted network ■Remediation servers ■Active Directory domain service IPsec NAP EAPHost NAP VPN NAP DHCP NAP Figure A-4. Client-SideNAP Architecture HRA Table A-2.NAP ECs and Corresponding NAP Enforcement Points Page Figure A-5. IPsec-Protectedand Unprotected Communications Secure Boundary Figure A-6.HRA Network Access Figure A-7.DHCP Network Access Figure A-8.VPN Network Access Figure A-9.IEEE 802.1X Network Access Figure A-10.Relationship of NAP Clients to Remediation Servers Figure A-11.Relationship between NPS and Health Requirement Servers Updating the Access Control Design Process Microsoft Network Access Protection Table A-3.Options for Endpoint Integrity Solution by Existing Network Environment Examples Page Page Table A-6.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-7.Preliminary Decisions for the Endpoint Integrity Deployment Method Table A-8.Preliminary Decisions for the Endpoint Integrity Deployment Method