Addendum to the ProCurve Access Control Security Design Guide

Updating the Access Control Design Process

As explained in Chapter 3: “Designing Access Controls” of the ProCurve Access Control Security Solution Design Guide, the NAC 800 can be deployed in three ways, which correspond with the quarantine method:

802.1X

Dynamic Host Configuration Protocol (DHCP)

Inline

Chapter 3: “Designing Access Controls” also offers four factors to consider when choosing a deployment method:

Access control method

Vulnerability to risks and risk tolerance

Existing network infrastructure

Connection type

When considering the network infrastructure, the Design Guide explains that you must determine whether your network switches support traffic mirroring (which may be called port mirroring, port monitoring, or port spanning, depending on your switch). This feature allows the NAC 800s to detect and test endpoints.

You also had to determine whether the switches support local traffic mirror- ing—mirroring traffic from one port to another port on the same switch—or remote traffic mirroring—mirroring traffic from a local switch to a remote switch.

As mentioned earlier, RDAC support provides a third option. If you have Windows 2003 DHCP servers, your switches do not have to support either local or remote mirroring. This gives you more flexibility in placing your NAC 800 in an 802.1X deployment. Likewise, the DHCP plug-in gives you another option for placing the NAC 800 in a DHCP deployment.

With RDAC and the DHCP plug-in, you may require fewer NAC 800s for your network. When RDAC runs on your Windows 2003 DHCP servers, it can submit DHCP information to the NAC 800 from any location on the network— provided that the network is set up to route the information correctly. If you want to use an 802.1X deployment and your switches support only local mirroring, you do not have to connect a NAC 800 to each switch that connects to a DHCP server or relocate your DHCP servers so they all connect to the same switch. With the DHCP plug-in deployment, you can place the NAC 800 anywhere on the network, rather than:

Placing a NAC 800 between each DHCP server and the network

Connecting all the DHCP servers to the same switch and placing the NAC 800 between the switch and the rest of the network

A-31

Page 334 Page 336
Page 335
Image 335
HP Access Control Client Software manual Updating the Access Control Design Process
Page 334 Page 336
Top Page Image Contents