| Access Control Concepts |
| Network Access Control Technologies |
|
|
N o t e | In “Endpoint Integrity” on page |
| endpoints for compliance with security policies. A network that enforces |
| endpoint integrity might include additional VLANs: |
| ■ Test |
| connect to the network but before they are tested by the network access |
| controller. A test VLAN can the same as the quarantine VLAN (described |
| below) or its own VLAN. In either case, the VLAN should be rather |
| restrictive. |
| ■ Quarantine |
| the network’s security policies. A quarantine VLAN typically allows access |
| only to resources necessary for bringing endpoints into compliance. |
| ■ Infected |
| detects viruses, trojans, or other malware. While you can place infected |
| and quarantined endpoints in the same VLAN, you may want to separate |
| them. Then infected endpoints do not spread malware to the |
| infected, but insecure quarantined endpoints. |
| These VLANs would be assigned to endpoints dynamically as part of the |
| policies sent out the RADIUS server (which, if you are using the ProCurve |
| NAC 800 could be the network access controller itself). Note, however, that |
| some network access controllers use different methods to quarantine end- |
| |
| ACLs |
| |
| A VLAN assignment ensures that a user receives an IP address in the correct |
| subnet. ACLs control communications between subnets so that users in a |
| particular VLAN receive access to the correct resources. |
An ACL is a series of rules, or access control entries (ACEs) to which a network device compares every packet that arrives. Although ACLs can operate either at Layer 2 or Layer 3/4, this design guide focuses on Layer 3/4 ACLs. An ACE in such an ACL controls traffic according to a variety of fields in the IP header:
■Protocol (TCP, UDP, Internet Group Management Protocol [IGMP], and so forth)
■IP source address
■Source port
■IP destination address
■Destination port (for example, UDP 67 to allow DHCP traffic or 80 to allow Web traffic)