Access Control Concepts

Network Access Control Technologies

If a packet’s IP header matches the ACE, the device treats the packet as indicated in the ACE, forwarding it (“allow”) or dropping it (“deny”).

In effect, the ACL controls which devices can access which other devices using which applications. For example, you want to allow devices in VLAN 100 to access a private Web server. In an “allow” ACE, you enter TCP for the protocol, specify the Web server’s IP address as the IP destination address, and 80 (HTTP) for the destination TCP port. Then you apply the ACL to the VLAN.

You can apply ACLs manually to VLANs and ports. But, as with VLAN assign- ments, network access control enables dynamic ACLs, which can authorize users for network resources at quite a granular level.

Due to the complexity involved in configuring dynamic ACLs on a RADIUS server, it is recommended that you use a solution such as IDM.

Endpoint Integrity

Endpoint integrity adds another component to an access control solution: users can only connect to your network using equipment that meets your standards for security.

Implementing endpoint integrity can be rather complex, encompassing con- cepts and processes that might be new to you. Although the industry is beginning to standardize on some concepts and , this process is ongoing. To the extent possible, this section describes the industry-wide concepts and terminology. It then provides specific examples based on the ProCurve NAC 800.

Endpoint Integrity Policies

An endpoint integrity policy dictates the criteria that an endpoint must meet to connect to the network. You can think of this policy as the section of your organization’s security policy that applies to end-user equipment.

The endpoint integrity policy consists of a precise series of tests which the network access controller runs on endpoints that attempt access. Each test searches for a specific setting and has a specific allowed result.

For example, the endpoint integrity policy might test the security settings for the Internet zone used by the endpoint’s Internet Explorer (IE). The policy enforces the security setting, such as Medium, for that zone; unless the endpoint’s setting is at or above Medium, the endpoint fails the test.

1-36

Page 49 Page 51
Page 50
Image 50
HP Access Control Client Software manual Endpoint Integrity Policies
Page 49 Page 51
Top Page Image Contents