Manuals / HP / Computer Equipment / Software

HP Access Control Client Software manual Figure A-9. Ieee 802.1X Network Access

Models: Access Control Client Software

1 338

Download 338 pages 18.69 Kb

Page 326

Addendum to the ProCurve Access Control Security Design Guide

Microsoft NAP

Figure A-9. IEEE 802.1X Network Access

1.The NAP client (using the EAPHost NAP EC) sends its SSoH to an 802.1X authenticator using PEAP over EAPOL.

As you already learned in this chapter, the 802.1X authenticator is an access point such as a switch or wireless AP.

2.The authenticator sends the endpoint’s SSoH to the NPS using PEAP over

RADIUS.

3.The NPS performs a system health validation and sends its verdict to the authenticator. This verdict includes instructions on how the authenticator should control the endpoint’s access.

4.The authenticator enforces the verdict:

a.Places a compliant endpoint in the Unrestricted VLAN, for which the ID is specified in the verdict.

b.Applies the IP filters specified in the verdict to a non-compliant endpoint.

c.Places a non-compliant endpoint in the Restricted VLAN, for which the ID is specified in the verdict.

A-22

Image 326

HP Access Control Client Software manual Figure A-9. Ieee 802.1X Network Access

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Access Control Concepts ContentsAccess Control Concepts Introduction to Access Control Network Access Control Access Control Concepts Network Access Control Technologies AAAAuthentication Authorization T e Accounting NAS IDPolicy Enforcement Point PEP Network Access Control ArchitectureEndpoint Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Process Network Access Control ArchitectureAuthentication-Based Network Access Control Methods MAC-AuthIntroduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process MAC-Auth-None Authentication ProtocolsAuthentication Requirements PAP MS-CHAPv2 EAPAccess Control Concepts Access Control Concepts Radius NAS ID T e Wireless Authentication802.11 Static Wired Equivalent Privacy WEP Dynamic WEPWPA/WPA2 Access Control Rights-Dynamic Settings VLANsDevices ACLs Endpoint Integrity Endpoint Integrity PoliciesSoftware Pre-connect and Post-connect TestingSecurity Settings Operating SystemTesting Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Endpoint Integrity Posture Quarantine MethodsUser’s assignment and places him or her in a quarantine Vlan T e NAC 800 as an Endpoint Integrity Only Solution ProCurve NAC802.1X Deployment Process for 802.1X Quarantining Endpoint Integrity Only.With each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution Solution NAC 800 as Both a Radius Server and an Endpoint IntegrityAccess Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan ProCurve IDM WlanIAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Types of Users EmployeesTemporary Employees GuestsNetwork Skills Recording Information about Users Network UsersTypes of Connections Wired ConnectionsWireless Connections Recording the Types of Connections Available to Users Group Permitted Connections Access Times Network ResourcesRemote Connections Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Regulatory Compliance Quantify Your Company’s Risk ToleranceExternal Attacks Vulnerability to AttacksAttack Vectors Internal AttacksTypes of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Edge Devices Evaluate the Existing Network EnvironmentSize Port Mirroring Recording Information about Network SwitchesSwitch Vendor Firmware Location Model Number Version Supported Monitoring SpanningAP as a Supplicant Recording Information about APs EndpointsWorkstations and Laptops Customer Needs Assessment Laptop or Quantity User Operating Applications Other EndpointsRecording Information about Workstations and Laptops Workstation System NetworkRecording Information about Other Endpoints Directory ServiceRadius Servers Dchp Servers Subnets and VLANsRouting Information Network Diagram Sample Network DiagramDetermine Your Endpoint Integrity Requirements Browser Security Policy-WindowsCustomer Needs Assessment Zone Default Setting Select Security Settings for Your CompanyDefault Settings for Internet Explorer Zones Operating System-Windows Security Settings-OSSecurity Settings-Windows Software-Windows Human Factor Control over Network ResourcesIT Department Workload Users’ CooperationCustomer Needs Assessment Customer Needs Assessment Designing Access Controls Endpoint Capabilities and Administrative Control Designing Access ControlsSelect an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Process of Designing Access Control Security Example NetworkDiagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control MethodsHigh effort to Endpoints that accessHigh Security Zone Private Public Network Access Zones SecuritySecurity Concerns by Zone Wired Zone Security Concerns Wireless Zone Security Concerns WEPWireless Security WPA/WPA2 Tkip CCMP-AESWeb-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance User Type and Sophistication Selecting an Access Control Method Based on Security NeededTechnical Knowledge Characteristics ExampleAccess Control Method by User Sophistication Level MAC-Auth Web-Auth 802.1XAdministrative Workload Access Control Method by User Type and SophisticationAccess Control Method by Administrative Workload Endpoint Compatibility of Access Control Methods10. Configuration of PCU’s Endpoints Hardware Type of Interface Operating SystemAdministrative Control over Endpoints 11. Access Control Method by Endpoint CapabilitiesDescription 12. Administrative Control Levels13. Access Control Method by Administrative Control Level Network Infrastructure Devices 14. Authentication Method by Administrative ControlSwitch Series MAC-Auth Web-Auth 802.1X ProCurve Product Software Version MAC-Auth Web-Auth 802.1X New capabilities for these wireless products17. Access Control Method by Existing Infrastructure Network Infrastructure Devices as 802.1X Supplicants ProCurve Switches 802.1X Supplicant Bringing All of the Factors Together19. Access Control Methods by Feasibility Them20. Preliminary Decisions for the Access Control Method Factor Weight Private Wired Public Wired21. Preliminary Decisions for the Access Control Method Zone Access Control Method Make Decisions about Remote Access VPN22. Access Control Methods for Each Zone Disadvantages Mitigating Factors Decide Whether to Grant Remote Access23. Disadvantages of Remote Access Advantages Explanation 24. Advantages of Remote AccessSelect VPN Options 25. Options for VPN Protocols Vulnerability and Risk Assessment DSA26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls 29. Endpoint Compatibility for Remote Access Native Capabilities With VPN ClientExisting Network Infrastructure 30. Selecting VPN Options Based on EndpointBringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Access Control Method Choose the Endpoint Integrity Deployment MethodMAC-Auth 35. Deployment Method by Access Control Method Vulnerability to Risks and Risk ToleranceDesigning Access Controls 36. Security Level of Deployment Methods Factor Private Wired Public WiredPublic Wireless Remote 37. Deployment Method by Security38. Deployment Method by Existing Network Infrastructure WirelessConnection Type 39. Deployment Method by Connection Type Wireless Connection type InlineBringing the Factors Together Zone Deployment Method Factor Weight Private Wired Public Wired Remote Wireless42. Deployment Method by Zone Testing Method Advantages Disadvantages Choose Endpoint Integrity Testing Methods43. Summary of Testing Methods Requirements for Testing Methods NAC EI AgentInstallShield Wizard for the NAC EI Agent ActiveX Advantages and Disadvantages of NAC Agent TestingRequirements for ActiveX Testing Advantages and Disadvantages of ActiveX Testing AgentlessAdvantages and Disadvantages of Agentless Testing Deciding Which Testing Methods to EnableRequirements for Agentless Testing Transparent Testing Designing Access Controls Testing with User Interaction Testing methodsDesigning Access Controls Factors to Consider for Testing Methods Administrative Control over EndpointsFactor Public Wired Private Wired 44. Testing Method by Control over Endpoints45. Testing Method by Administrative Control Private Wireless RemotePost-Connect Testing 46. Testing Methods by Post-Connect Testing47. Testing Method by Post-Connect Testing User SophisticationPrivate Remote Wireless 48. Testing Method by User Sophistication49. Testing Methods for User Sophistication Agentless ActiveX NAC IE Agent Administrative Workload50. Testing Methods by Administrative Workload 51. Testing Methods for Administrative Workload Network OverheadFactor Public Wired 52. Testing Method by Network Overhead53. Preliminary Decisions for Testing Methods Bringing All of the Factors Together54. Preliminary Decisions for Testing Method Network Authentication Architecture Choose Radius ServersRadius Servers in a Network Without Endpoint Integrity Choose Which Devices Will Play the Role of PDP57. Integrated Server/Proxy Combination 55. General Combination56. Integrated Server Combination 58. Turnkey ServerPEPs with Built-in PDPs 60. Fully Integrated Combination61. Alternate Integrated Server/Proxy Combination PEPs with Built-in PDPs and Policy/Credential RepositoriesUsers Combination Wired Per LAN Wireless Per LAN Total WAN Most Scalable 64. Scalability of Access Control Component Combinations65. Access Control Component Combinations Least ScalableChoose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic Determine the Number of Radius Servers 70. Radius Server Locations for PCUChoose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls IAS as the Radius Server Does your organization already use IAS for other functions?NAC 800 as the Radius Server 73. Turnkey Server Combination for the NAC 71. General Combination for the NAC72. Integrated Server/Proxy for the NAC Wireless Edge Services Module Database Designing Access Controls Determine If You Need IDM Add ProCurve IDMIDM Overview Design Parameters for a Network with IDM Create Access Policy Groups Add Users10. EAP Method Decision Flowchart Select an EAP Method forDesigning Access Controls 75. EAP Methods Supported by 802.1X Supplicants SupplicantServer 76. EAP Methods Supported by Radius ServersEAP-TNC EAP-LEAP Not Designing Access Controls 77. Final Security Policy by Zone Finalize Security PoliciesUser Groups and Policies 78. Example Security Policy by ZoneAccess Group Policies with IDM Access Profiles 79. Access ProfilesAccess Profile 80. Dynamic VLANs81. Dynamic VLANs for PCU Resource Vlan ID Subnet Address 82. Resources by Entire Vlan83. Resources Resource IP Address Protocol84. PCU Resources by Vlan 85. PCU Resources86. Resources Allowed in Access Profiles Access Profile Resources87. Resources Allowed in PCU Access Profiles Access Profile ResourceFaculty Web servers, white pages Library catalog and printer 88. Resources Allowed in Access Profiles Resources Rate Limit QoSAccess Policy Inputs Group Location Time System 89. Access Policy Group Rules90. Sample Access Policy Group Rules for PCU Outputs-Access ProfileAccess Policies without IDM 91. Radius Attributes in Access Requests Attribute Explanation Value for My PolicyAttribute Policy 1-Setting Policy 2-Setting 92. Authentication Protocols for My Policies93. Dynamic Settings for My Policies Create the NAC Policies Design NAC Policy GroupsDesign NAC Policies 94. Tests for Minimal Endpoint Integrity 95. Tests for Minimal Endpoint Integrity96. Tests for Medium Endpoint Integrity Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall97. Web Browser Tests Test Settings Mozilla Firefox Browser? Enter the required versions in TableMicrosoft Excel Microsoft Outlook 98. Macro Security Tests99. Other Tests for Hotfixes Windows Media Mac QuickTime IISOptions Your selection 100. Windows Automatic Updates101. Tests for Applications 104. Tests on Mac Airport 102. Tests for Services103. Tests for Shared Connections Windows Bridge Network Connection Mac Internet SharingSpecified as allowed 105. Test for Windows Startup Registry Entries Lay Out the NetworkCore Resources T e Access Zones for Endpoints Public Wired ZoneVlan Assignment and Other Dynamic Settings. You can set up 106. Public Wired Zone Policies 133Public Wireless Zone 108. Public Wireless Zone PoliciesDesigning Access Controls 109. Capabilities of ProCurve Wireless Products Product Software Version Radios Modes WLANsVersion Methods 802.1X Software AuthenticationEAP Method for 111. PoE Requirements on ProCurve RPs and APs 112. ProCurve Products That Support PoELay Out the Network Private Wired Zone 113. Private Wired Zone PoliciesMight otherwise be ignored MS-CHAPv2 Private Wireless Zone115. Private Wireless Zone Policies Remote Zone Designing Access Controls Tunnels Module VPN Protocol Maximum EncryptionNumber 3DESOverlapping Zones Combining Access Control Zone DesignsAdjacent Zones 117. VPN Capabilities of the ProCurve VPN ClientDesigning Adjacent and Overlapping Zones Adding Access Control to an Existing Network Integrating all Parts of the Network DesignMigrating from One Solution to Another 150 Services and Support ProCurve Elite PartnersImplementation Other ResourcesElements of Each Access Control Solution Elements SolutionOther Resources Appendix a Glossary NumericSee also Dhcp deployment method and inline deployment method Access point See AP Appendix a GlossaryAgent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Extensible See EAP Authentication Protocol GTC See EAP-GTC Enforcement See ES. serverInline quarantine method Appendix a Glossary Mirroring, remote See remote mirroring Lightweight See LDAP. directory access ProtocolManagement See MS. server Appendix a Glossary Appendix a Glossary PoE Peer-to-peerPermanent agent Public key See PKI. infrastructure Posture See integrity posturePre-shared key See PSK Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution SMB Signing Deep Check TestingProCurve NAC Support for Rdac Post-Connect NAC TestingIntegration with Microsoft SMS Dhcp Plug-in Deployment Identity Driven Manager Better synchronization with Microsoft Active DirectoryProCurve Access Control Solution Microsoft NAP NAP ComponentsNAP client NAP enforcement pointHealth requirement servers Active Directory domain serviceNAP health policy server NPS Restricted networkSystem Health Agents SHAs NAP Client ArchitectureNAP Enforcement Clients ECs NAP AgentNAP Server Architecture Figure A-4. Client-Side NAP ArchitectureNAP Enforcement Point NAP Enforcement PointTable A-2. NAP ECs and Corresponding NAP Enforcement Points IPsec Network Access MethodsHealth Requirement Servers Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp VPN Access 802.1X AuthenticationFigure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Choose the Endpoint Integrity Solution Existing Network EnvironmentVulnerability to Risks and Risk Tolerance Existing Network Environment OptionManagement Resources Risk ToleranceInteroperability Requirements Interoperability Option Requirements Factor Weight SelectionBringing the Factors Together Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process