Addendum to the ProCurve Access Control Security Design Guide

Updating the Access Control Design Process

several components on the NPS and policy enforcement points. Because the NAP solution tends to be more distributed, it may require more management resources to maintain.

For either solution, IDM increases manageability. In the graphical interface of IDM, you easily set up access controls based on endpoint integrity. IDM also enhances NPS by dynamically managing the access rights on a per-session basis.

In short, both solutions require a degree of setup. If your company must upgrade its servers to Windows Server 2008 or its stations to Windows XP or Windows Vista, this effort will make it more difficult to deploy NAP. However, your company may be planning these upgrades for other reasons. In that case, deploying the NAC 800 may add more work.

Keep in mind that whichever option you select, IDM dramatically improves the manageability and functionality.

Examples. PCU has not upgraded to Vista and Windows Server 2008, and it does not want to do so at this time. Network administrators suggest deploying NAC 800 managed by IDM.

Again, ProCurve, Inc. has upgraded to Visa and Windows Server 2008. These network administrators recommend NAP because they think it will be easier to configure another service on the Windows Server 2008. They also recom- mend using IDM to make management that much easier.

Interoperability Requirements

Finally, you should consider your network’s interoperability requirements. If you prefer the suite of Windows security solutions and services, you can select NAP, in which all the servers interact with each other. At this point, the NAC 800 does not interoperate with NAP. However, IDM does support NAP fully, and you can still use IDM to manage all of your access controls.

If you require interoperability in a heterogeneous requirement, you should select the NAC 800. The NAC 800 follows industry standards, whereas NAP does not. For example, NAP uses non-standard EAP and VPN extensions, so it might not work with your existing solutions. NAP also specifies proprietary DHCP options, requiring you to use the Windows Server 2008 DHCP service. Because the NAC 800 follows industry-standards, it will continue to interop- erate with other products in the future, protecting your investment.

A-28

Page 332
Image 332
HP Access Control Client Software manual Interoperability Requirements