ACLs | HP Access Control Client Software guide

	Access Control Concepts
	Network Access Control Technologies

N o t e	In “Endpoint Integrity” on page 1-36, you will learn about solutions that test
	endpoints for compliance with security policies. A network that enforces
	endpoint integrity might include additional VLANs:
	■ Test VLANs—The VLANs in which endpoints are placed after they
	connect to the network but before they are tested by the network access
	controller. A test VLAN can the same as the quarantine VLAN (described
	below) or its own VLAN. In either case, the VLAN should be rather
	restrictive.
	■ Quarantine VLANs—The VLANs for endpoints that fail to comply with
	the network’s security policies. A quarantine VLAN typically allows access
	only to resources necessary for bringing endpoints into compliance.
	■ Infected VLANs—The VLANs for endpoints on which the NAC 800
	detects viruses, trojans, or other malware. While you can place infected
	and quarantined endpoints in the same VLAN, you may want to separate
	them. Then infected endpoints do not spread malware to the not-yet-
	infected, but insecure quarantined endpoints.
	These VLANs would be assigned to endpoints dynamically as part of the
	policies sent out the RADIUS server (which, if you are using the ProCurve
	NAC 800 could be the network access controller itself). Note, however, that
	some network access controllers use different methods to quarantine end-
	points—methods that do not rely on VLAN assignments at all.
	ACLs
	ACLs
	A VLAN assignment ensures that a user receives an IP address in the correct
	subnet. ACLs control communications between subnets so that users in a
	particular VLAN receive access to the correct resources.

An ACL is a series of rules, or access control entries (ACEs) to which a network device compares every packet that arrives. Although ACLs can operate either at Layer 2 or Layer 3/4, this design guide focuses on Layer 3/4 ACLs. An ACE in such an ACL controls traffic according to a variety of fields in the IP header:

■Protocol (TCP, UDP, Internet Group Management Protocol [IGMP], and so forth)

■IP source address

■Source port

■IP destination address

■Destination port (for example, UDP 67 to allow DHCP traffic or 80 to allow Web traffic)

1-35

Image 49

HP Access Control Client Software manual ACLs

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Contents Access Control Concepts Access Control Concepts Introduction to Access Control Network Access Control Access Control Concepts AAA Network Access Control Technologies Authentication Authorization T e NAS ID Accounting Endpoint Network Access Control ArchitecturePolicy Enforcement Point PEP Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Architecture Network Access Control Process MAC-Auth Authentication-Based Network Access Control Methods Introduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process Authentication Requirements Authentication ProtocolsMAC-Auth-None PAP EAP MS-CHAPv2 Access Control Concepts Access Control Concepts Radius NAS ID 802.11 Wireless AuthenticationT e Dynamic WEP Static Wired Equivalent Privacy WEP WPA/WPA2 VLANs Access Control Rights-Dynamic Settings Devices ACLs Endpoint Integrity Policies Endpoint Integrity Security Settings Pre-connect and Post-connect TestingSoftware Operating System Testing Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Quarantine Methods Endpoint Integrity Posture User’s assignment and places him or her in a quarantine Vlan T e ProCurve NAC NAC 800 as an Endpoint Integrity Only Solution Process for 802.1X Quarantining Endpoint Integrity Only. 802.1X Deployment With each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution NAC 800 as Both a Radius Server and an Endpoint Integrity Solution Access Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan Wlan ProCurve IDM IAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Employees Types of Users Guests Temporary Employees Network Skills Network Users Recording Information about Users Wireless Connections Wired ConnectionsTypes of Connections Remote Connections Group Permitted Connections Access Times Network ResourcesRecording the Types of Connections Available to Users Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Quantify Your Company’s Risk Tolerance Regulatory Compliance Attack Vectors Vulnerability to AttacksExternal Attacks Internal Attacks Types of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Size Evaluate the Existing Network EnvironmentEdge Devices Switch Vendor Firmware Location Recording Information about Network SwitchesPort Mirroring Model Number Version Supported Monitoring Spanning AP as a Supplicant Workstations and Laptops EndpointsRecording Information about APs Customer Needs Assessment Recording Information about Workstations and Laptops Other EndpointsLaptop or Quantity User Operating Applications Workstation System Network Radius Servers Directory ServiceRecording Information about Other Endpoints Routing Information Subnets and VLANsDchp Servers Sample Network Diagram Network Diagram Browser Security Policy-Windows Determine Your Endpoint Integrity Requirements Customer Needs Assessment Default Settings for Internet Explorer Zones Select Security Settings for Your CompanyZone Default Setting Security Settings-Windows Security Settings-OSOperating System-Windows Software-Windows Control over Network Resources Human Factor Users’ Cooperation IT Department Workload Customer Needs Assessment Customer Needs Assessment Designing Access Controls Designing Access Controls Endpoint Capabilities and Administrative Control Select an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Example Network Process of Designing Access Control Security Diagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Advantages and Disadvantages of Access Control Methods Choose the Access Control Methods High Endpoints that accessHigh effort to Security Concerns by Zone Network Access Zones SecuritySecurity Zone Private Public Wired Zone Security Concerns WEP Wireless Zone Security Concerns WPA/WPA2 Tkip CCMP-AES Wireless Security Web-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance Technical Knowledge Characteristics Selecting an Access Control Method Based on Security NeededUser Type and Sophistication Example MAC-Auth Web-Auth 802.1X Access Control Method by User Sophistication Level Access Control Method by User Type and Sophistication Administrative Workload Endpoint Compatibility of Access Control Methods Access Control Method by Administrative Workload Hardware Type of Interface Operating System 10. Configuration of PCU’s Endpoints 11. Access Control Method by Endpoint Capabilities Administrative Control over Endpoints 13. Access Control Method by Administrative Control Level 12. Administrative Control LevelsDescription Switch Series MAC-Auth Web-Auth 802.1X 14. Authentication Method by Administrative ControlNetwork Infrastructure Devices 17. Access Control Method by Existing Infrastructure New capabilities for these wireless productsProCurve Product Software Version MAC-Auth Web-Auth 802.1X Network Infrastructure Devices as 802.1X Supplicants Bringing All of the Factors Together ProCurve Switches 802.1X Supplicant Them 19. Access Control Methods by Feasibility Factor Weight Private Wired Public Wired 20. Preliminary Decisions for the Access Control Method 21. Preliminary Decisions for the Access Control Method 22. Access Control Methods for Each Zone Make Decisions about Remote Access VPNZone Access Control Method 23. Disadvantages of Remote Access Decide Whether to Grant Remote AccessDisadvantages Mitigating Factors Select VPN Options 24. Advantages of Remote AccessAdvantages Explanation 25. Options for VPN Protocols DSA Vulnerability and Risk Assessment 26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls Native Capabilities With VPN Client 29. Endpoint Compatibility for Remote Access 30. Selecting VPN Options Based on Endpoint Existing Network Infrastructure Bringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Choose the Endpoint Integrity Deployment Method Access Control Method MAC-Auth Vulnerability to Risks and Risk Tolerance 35. Deployment Method by Access Control Method Designing Access Controls Public Wireless Remote Factor Private Wired Public Wired36. Security Level of Deployment Methods 37. Deployment Method by Security Connection Type Wireless38. Deployment Method by Existing Network Infrastructure Bringing the Factors Together Wireless Connection type Inline39. Deployment Method by Connection Type 42. Deployment Method by Zone Factor Weight Private Wired Public Wired Remote WirelessZone Deployment Method 43. Summary of Testing Methods Choose Endpoint Integrity Testing MethodsTesting Method Advantages Disadvantages NAC EI Agent Requirements for Testing Methods InstallShield Wizard for the NAC EI Agent Requirements for ActiveX Testing Advantages and Disadvantages of NAC Agent TestingActiveX Agentless Advantages and Disadvantages of ActiveX Testing Requirements for Agentless Testing Deciding Which Testing Methods to EnableAdvantages and Disadvantages of Agentless Testing Transparent Testing Designing Access Controls Testing methods Testing with User Interaction Designing Access Controls Administrative Control over Endpoints Factors to Consider for Testing Methods 45. Testing Method by Administrative Control 44. Testing Method by Control over EndpointsFactor Public Wired Private Wired Private Wireless Remote 46. Testing Methods by Post-Connect Testing Post-Connect Testing User Sophistication 47. Testing Method by Post-Connect Testing 49. Testing Methods for User Sophistication 48. Testing Method by User SophisticationPrivate Remote Wireless 50. Testing Methods by Administrative Workload Administrative WorkloadAgentless ActiveX NAC IE Agent Network Overhead 51. Testing Methods for Administrative Workload 53. Preliminary Decisions for Testing Methods 52. Testing Method by Network OverheadFactor Public Wired Bringing All of the Factors Together 54. Preliminary Decisions for Testing Method Choose Radius Servers Network Authentication Architecture Choose Which Devices Will Play the Role of PDP Radius Servers in a Network Without Endpoint Integrity 56. Integrated Server Combination 55. General Combination57. Integrated Server/Proxy Combination 58. Turnkey Server 61. Alternate Integrated Server/Proxy Combination 60. Fully Integrated CombinationPEPs with Built-in PDPs PEPs with Built-in PDPs and Policy/Credential Repositories Users Combination Wired Per LAN Wireless Per LAN Total WAN 65. Access Control Component Combinations 64. Scalability of Access Control Component CombinationsMost Scalable Least Scalable Choose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic 70. Radius Server Locations for PCU Determine the Number of Radius Servers Choose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls Does your organization already use IAS for other functions? IAS as the Radius Server NAC 800 as the Radius Server 72. Integrated Server/Proxy for the NAC 71. General Combination for the NAC73. Turnkey Server Combination for the NAC Wireless Edge Services Module Database Designing Access Controls IDM Overview Add ProCurve IDMDetermine If You Need IDM Design Parameters for a Network with IDM Add Users Create Access Policy Groups Select an EAP Method for 10. EAP Method Decision Flowchart Designing Access Controls Supplicant 75. EAP Methods Supported by 802.1X Supplicants EAP-TNC EAP-LEAP Not 76. EAP Methods Supported by Radius ServersServer Designing Access Controls User Groups and Policies Finalize Security Policies77. Final Security Policy by Zone 78. Example Security Policy by Zone Access Group Policies with IDM Access Profile 79. Access ProfilesAccess Profiles 80. Dynamic VLANs 81. Dynamic VLANs for PCU 83. Resources 82. Resources by Entire VlanResource Vlan ID Subnet Address Resource IP Address Protocol 85. PCU Resources 84. PCU Resources by Vlan Access Profile Resources 86. Resources Allowed in Access Profiles Access Profile Resource 87. Resources Allowed in PCU Access Profiles Faculty Web servers, white pages Library catalog and printer Resources Rate Limit QoS 88. Resources Allowed in Access Profiles 90. Sample Access Policy Group Rules for PCU 89. Access Policy Group RulesAccess Policy Inputs Group Location Time System Outputs-Access Profile Access Policies without IDM Attribute Explanation Value for My Policy 91. Radius Attributes in Access Requests 93. Dynamic Settings for My Policies 92. Authentication Protocols for My PoliciesAttribute Policy 1-Setting Policy 2-Setting Design NAC Policy Groups Create the NAC Policies Design NAC Policies 95. Tests for Minimal Endpoint Integrity 94. Tests for Minimal Endpoint Integrity Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall 96. Tests for Medium Endpoint Integrity Browser? Enter the required versions in Table 97. Web Browser Tests Test Settings Mozilla Firefox 99. Other Tests for Hotfixes 98. Macro Security TestsMicrosoft Excel Microsoft Outlook Windows Media Mac QuickTime IIS 101. Tests for Applications 100. Windows Automatic UpdatesOptions Your selection 103. Tests for Shared Connections 102. Tests for Services104. Tests on Mac Airport Windows Bridge Network Connection Mac Internet Sharing Specified as allowed Core Resources Lay Out the Network105. Test for Windows Startup Registry Entries T e Public Wired Zone Access Zones for Endpoints Vlan Assignment and Other Dynamic Settings. You can set up 133 106. Public Wired Zone Policies 108. Public Wireless Zone Policies Public Wireless Zone Designing Access Controls Product Software Version Radios Modes WLANs 109. Capabilities of ProCurve Wireless Products EAP Method for Software AuthenticationVersion Methods 802.1X 112. ProCurve Products That Support PoE 111. PoE Requirements on ProCurve RPs and APs Lay Out the Network 113. Private Wired Zone Policies Private Wired Zone Might otherwise be ignored 115. Private Wireless Zone Policies Private Wireless ZoneMS-CHAPv2 Remote Zone Designing Access Controls Number Module VPN Protocol Maximum EncryptionTunnels 3DES Adjacent Zones Combining Access Control Zone DesignsOverlapping Zones 117. VPN Capabilities of the ProCurve VPN Client Designing Adjacent and Overlapping Zones Integrating all Parts of the Network Design Adding Access Control to an Existing Network Migrating from One Solution to Another 150 ProCurve Elite Partners Services and Support Other Resources Implementation Elements Solution Elements of Each Access Control Solution Other Resources Numeric Appendix a Glossary See also Dhcp deployment method and inline deployment method Appendix a Glossary Access point See AP Agent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Enforcement See ES. server Extensible See EAP Authentication Protocol GTC See EAP-GTC Inline quarantine method Appendix a Glossary Management See MS. server Lightweight See LDAP. directory access ProtocolMirroring, remote See remote mirroring Appendix a Glossary Appendix a Glossary Permanent agent Peer-to-peerPoE Pre-shared key See PSK Posture See integrity posturePublic key See PKI. infrastructure Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution ProCurve NAC Deep Check TestingSMB Signing Integration with Microsoft SMS Post-Connect NAC TestingSupport for Rdac Dhcp Plug-in Deployment Better synchronization with Microsoft Active Directory Identity Driven Manager ProCurve Access Control Solution NAP Components Microsoft NAP NAP enforcement point NAP client NAP health policy server NPS Active Directory domain serviceHealth requirement servers Restricted network NAP Enforcement Clients ECs NAP Client ArchitectureSystem Health Agents SHAs NAP Agent Figure A-4. Client-Side NAP Architecture NAP Server Architecture Table A-2. NAP ECs and Corresponding NAP Enforcement Points NAP Enforcement PointNAP Enforcement Point Health Requirement Servers Network Access MethodsIPsec Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp 802.1X Authentication VPN Access Figure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Existing Network Environment Choose the Endpoint Integrity Solution Existing Network Environment Option Vulnerability to Risks and Risk Tolerance Risk Tolerance Management Resources Interoperability Requirements Bringing the Factors Together Factor Weight SelectionInteroperability Option Requirements Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process