Addendum to the ProCurve Access Control Security Design Guide

ProCurve Access Control Solution 2.1

Post-Connect NAC Testing

Post-connect checking is a key component of a true endpoint integrity solu- tion. Without it, users quickly learn that they can circumvent your security settings—for example, raising their browser security settings, connecting to the network, and immediately lowering the settings again.

The NAC 800 has always supported post-connect checking by the NAC 800 itself. Now, however, the NAC 800 supports post-connect testing by other security devices. You can use post-connect NAC testing to have other security devices, such as an IDS/IPS perform additional testing and monitoring to detect attacks or other threats. If an endpoint fails this additional testing, the security device can send a request to the NAC 800, which will then quarantine the endpoint. Integrating additional security checking with the NAC 800 allows you to have a single point of enforcement on the network.

Integration with Microsoft SMS

The NAC 800 can also integrate with Microsoft SMS for patch management. If an endpoint requires a patch, NAC 800 can automatically contact SMS to ensure that the patch has been applied.

Support for RDAC

To discover information about endpoints on the network, the ProCurve NAC 800 uses Device Activity Capture (DAC), which listens on the network for DHCP traffic. DAC listens for DHCP ACK messages—which a DHCP server sends each DHCP client—so that DAC can detect endpoints accessing the network, and the NAC 800 can then test them. (DAC can also be configured to discover other types of IP traffic, such as traffic from static IP addresses, if necessary.)

In the first release of the NAC 800, DAC ran only on the NAC 800. In this configuration, DAC is sometimes referred to as Embedded DAC (EDAC).

Now, however, the NAC 800 supports DAC running as a standalone service on a Windows DHCP server. When running on a DHCP server, rather than on the NAC 800, DAC is said to be remote DAC (RDAC). While running on the Windows DHPC server, RDAC sends DHCP information back to the NAC 800.

Because RDAC is relaying information to the NAC 800, you have another option for placing the NAC 800 in an 802.1X deployment. Without RDAC, you must connect the DHCP server to the same switch as the NAC 800 or use remote mirroring if you connect the DHCP server to another switch. RDAC

A-7

Page 311
Image 311
HP Access Control Client Software manual Post-Connect NAC Testing, Integration with Microsoft SMS, Support for Rdac