Manuals / HP / Computer Equipment / Software

HP Access Control Client Software manual 802.1X Deployment

Models: Access Control Client Software

1 338

Download 338 pages 18.69 Kb

Page 60

Access Control Concepts

ProCurve NAC 800

A NAC policy consists of a list of tests. The NAC 800 provides a wide array of customizable tests, and Chapter 2: “Customer Needs Assessment” gives you some guidelines in choosing tests that meet your needs. The NAC policy also dictates whether an endpoint that fails a particular test should be quarantined immediately, quarantined after a grace period, or not quarantined at all. The NAC policy repository depends on the deployment:

■The NAC policy is stored on the NAC 800 that runs the tests if that NAC 800 is a stand-alone device (a CS).

■If the NAC 800 is part of a cluster, an MS acts as the repository for policies. The ESs run the tests.

As an endpoint-integrity-only solution, the NAC 800 supports all three deploy- ment methods. Let’s look at how those methods work in more detail.

802.1X Deployment

In an endpoint-integrity-only 802.1X deployment, the NAC 800 tests endpoints for compliance with the system’s NAC policies, but a different RADIUS server authenticates the users.

This RADIUS server must be an IAS server, which is configured to contact the NAC 800 after authenticating a user and request the integrity posture for the user’s endpoint. The IAS server then assigns the user to a test or a quarantine VLAN, if necessary.

Process for 802.1X Quarantining (Endpoint Integrity Only). The

NAC 800 imposes this process to control an endpoint’s network access:

1.The endpoint establishes a Data-Link Layer connection to the PEP:

•An Ethernet cable is plugged into a switch, and the link opens.

•A wireless endpoint associates with a wireless AP.

2.The PEP shuts down the connection to all traffic except EAP authentication messages. It sends an EAP challenge to the endpoint’s 802.1X supplicant.

3.The endpoint returns an EAP message that typically contains its user- name. The PEP proxies this response to IAS and IAS’s reply back to the endpoint.

4.The endpoint and IAS exchange authentication information (proxied by the PEP) as dictated by the EAP method.

5.IAS verifies the user’s credentials (typically against Active Directory).

1-46

Image 60

HP Access Control Client Software manual 802.1X Deployment, Process for 802.1X Quarantining Endpoint Integrity Only

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Access Control Concepts ContentsAccess Control Concepts Introduction to Access Control Network Access Control Access Control Concepts Network Access Control Technologies AAAAuthentication Authorization T e Accounting NAS IDNetwork Access Control Architecture EndpointPolicy Enforcement Point PEP Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Process Network Access Control ArchitectureAuthentication-Based Network Access Control Methods MAC-AuthIntroduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process Authentication Protocols Authentication RequirementsMAC-Auth-None PAP MS-CHAPv2 EAPAccess Control Concepts Access Control Concepts Radius NAS ID Wireless Authentication 802.11T e Static Wired Equivalent Privacy WEP Dynamic WEPWPA/WPA2 Access Control Rights-Dynamic Settings VLANsDevices ACLs Endpoint Integrity Endpoint Integrity PoliciesPre-connect and Post-connect Testing Security SettingsSoftware Operating SystemTesting Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Endpoint Integrity Posture Quarantine MethodsUser’s assignment and places him or her in a quarantine Vlan T e NAC 800 as an Endpoint Integrity Only Solution ProCurve NAC802.1X Deployment Process for 802.1X Quarantining Endpoint Integrity Only.With each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution Solution NAC 800 as Both a Radius Server and an Endpoint IntegrityAccess Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan ProCurve IDM WlanIAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Types of Users EmployeesTemporary Employees GuestsNetwork Skills Recording Information about Users Network UsersWired Connections Wireless ConnectionsTypes of Connections Group Permitted Connections Access Times Network Resources Remote ConnectionsRecording the Types of Connections Available to Users Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Regulatory Compliance Quantify Your Company’s Risk ToleranceVulnerability to Attacks Attack VectorsExternal Attacks Internal AttacksTypes of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Evaluate the Existing Network Environment SizeEdge Devices Recording Information about Network Switches Switch Vendor Firmware LocationPort Mirroring Model Number Version Supported Monitoring SpanningAP as a Supplicant Endpoints Workstations and LaptopsRecording Information about APs Customer Needs Assessment Other Endpoints Recording Information about Workstations and LaptopsLaptop or Quantity User Operating Applications Workstation System NetworkDirectory Service Radius ServersRecording Information about Other Endpoints Subnets and VLANs Routing InformationDchp Servers Network Diagram Sample Network DiagramDetermine Your Endpoint Integrity Requirements Browser Security Policy-WindowsCustomer Needs Assessment Select Security Settings for Your Company Default Settings for Internet Explorer ZonesZone Default Setting Security Settings-OS Security Settings-WindowsOperating System-Windows Software-Windows Human Factor Control over Network ResourcesIT Department Workload Users’ CooperationCustomer Needs Assessment Customer Needs Assessment Designing Access Controls Endpoint Capabilities and Administrative Control Designing Access ControlsSelect an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Process of Designing Access Control Security Example NetworkDiagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control MethodsEndpoints that access HighHigh effort to Network Access Zones Security Security Concerns by ZoneSecurity Zone Private Public Wired Zone Security Concerns Wireless Zone Security Concerns WEPWireless Security WPA/WPA2 Tkip CCMP-AESWeb-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance Selecting an Access Control Method Based on Security Needed Technical Knowledge CharacteristicsUser Type and Sophistication ExampleAccess Control Method by User Sophistication Level MAC-Auth Web-Auth 802.1XAdministrative Workload Access Control Method by User Type and SophisticationAccess Control Method by Administrative Workload Endpoint Compatibility of Access Control Methods10. Configuration of PCU’s Endpoints Hardware Type of Interface Operating SystemAdministrative Control over Endpoints 11. Access Control Method by Endpoint Capabilities12. Administrative Control Levels 13. Access Control Method by Administrative Control LevelDescription 14. Authentication Method by Administrative Control Switch Series MAC-Auth Web-Auth 802.1XNetwork Infrastructure Devices New capabilities for these wireless products 17. Access Control Method by Existing InfrastructureProCurve Product Software Version MAC-Auth Web-Auth 802.1X Network Infrastructure Devices as 802.1X Supplicants ProCurve Switches 802.1X Supplicant Bringing All of the Factors Together19. Access Control Methods by Feasibility Them20. Preliminary Decisions for the Access Control Method Factor Weight Private Wired Public Wired21. Preliminary Decisions for the Access Control Method Make Decisions about Remote Access VPN 22. Access Control Methods for Each ZoneZone Access Control Method Decide Whether to Grant Remote Access 23. Disadvantages of Remote AccessDisadvantages Mitigating Factors 24. Advantages of Remote Access Select VPN OptionsAdvantages Explanation 25. Options for VPN Protocols Vulnerability and Risk Assessment DSA26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls 29. Endpoint Compatibility for Remote Access Native Capabilities With VPN ClientExisting Network Infrastructure 30. Selecting VPN Options Based on EndpointBringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Access Control Method Choose the Endpoint Integrity Deployment MethodMAC-Auth 35. Deployment Method by Access Control Method Vulnerability to Risks and Risk ToleranceDesigning Access Controls Factor Private Wired Public Wired Public Wireless Remote36. Security Level of Deployment Methods 37. Deployment Method by SecurityWireless Connection Type38. Deployment Method by Existing Network Infrastructure Wireless Connection type Inline Bringing the Factors Together39. Deployment Method by Connection Type Factor Weight Private Wired Public Wired Remote Wireless 42. Deployment Method by ZoneZone Deployment Method Choose Endpoint Integrity Testing Methods 43. Summary of Testing MethodsTesting Method Advantages Disadvantages Requirements for Testing Methods NAC EI AgentInstallShield Wizard for the NAC EI Agent Advantages and Disadvantages of NAC Agent Testing Requirements for ActiveX TestingActiveX Advantages and Disadvantages of ActiveX Testing AgentlessDeciding Which Testing Methods to Enable Requirements for Agentless TestingAdvantages and Disadvantages of Agentless Testing Transparent Testing Designing Access Controls Testing with User Interaction Testing methodsDesigning Access Controls Factors to Consider for Testing Methods Administrative Control over Endpoints44. Testing Method by Control over Endpoints 45. Testing Method by Administrative ControlFactor Public Wired Private Wired Private Wireless RemotePost-Connect Testing 46. Testing Methods by Post-Connect Testing47. Testing Method by Post-Connect Testing User Sophistication48. Testing Method by User Sophistication 49. Testing Methods for User SophisticationPrivate Remote Wireless Administrative Workload 50. Testing Methods by Administrative WorkloadAgentless ActiveX NAC IE Agent 51. Testing Methods for Administrative Workload Network Overhead52. Testing Method by Network Overhead 53. Preliminary Decisions for Testing MethodsFactor Public Wired Bringing All of the Factors Together54. Preliminary Decisions for Testing Method Network Authentication Architecture Choose Radius ServersRadius Servers in a Network Without Endpoint Integrity Choose Which Devices Will Play the Role of PDP55. General Combination 56. Integrated Server Combination57. Integrated Server/Proxy Combination 58. Turnkey Server60. Fully Integrated Combination 61. Alternate Integrated Server/Proxy CombinationPEPs with Built-in PDPs PEPs with Built-in PDPs and Policy/Credential RepositoriesUsers Combination Wired Per LAN Wireless Per LAN Total WAN 64. Scalability of Access Control Component Combinations 65. Access Control Component CombinationsMost Scalable Least ScalableChoose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic Determine the Number of Radius Servers 70. Radius Server Locations for PCUChoose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls IAS as the Radius Server Does your organization already use IAS for other functions?NAC 800 as the Radius Server 71. General Combination for the NAC 72. Integrated Server/Proxy for the NAC73. Turnkey Server Combination for the NAC Wireless Edge Services Module Database Designing Access Controls Add ProCurve IDM IDM OverviewDetermine If You Need IDM Design Parameters for a Network with IDM Create Access Policy Groups Add Users10. EAP Method Decision Flowchart Select an EAP Method forDesigning Access Controls 75. EAP Methods Supported by 802.1X Supplicants Supplicant76. EAP Methods Supported by Radius Servers EAP-TNC EAP-LEAP NotServer Designing Access Controls Finalize Security Policies User Groups and Policies77. Final Security Policy by Zone 78. Example Security Policy by ZoneAccess Group Policies with IDM 79. Access Profiles Access ProfileAccess Profiles 80. Dynamic VLANs81. Dynamic VLANs for PCU 82. Resources by Entire Vlan 83. ResourcesResource Vlan ID Subnet Address Resource IP Address Protocol84. PCU Resources by Vlan 85. PCU Resources86. Resources Allowed in Access Profiles Access Profile Resources87. Resources Allowed in PCU Access Profiles Access Profile ResourceFaculty Web servers, white pages Library catalog and printer 88. Resources Allowed in Access Profiles Resources Rate Limit QoS89. Access Policy Group Rules 90. Sample Access Policy Group Rules for PCUAccess Policy Inputs Group Location Time System Outputs-Access ProfileAccess Policies without IDM 91. Radius Attributes in Access Requests Attribute Explanation Value for My Policy92. Authentication Protocols for My Policies 93. Dynamic Settings for My PoliciesAttribute Policy 1-Setting Policy 2-Setting Create the NAC Policies Design NAC Policy GroupsDesign NAC Policies 94. Tests for Minimal Endpoint Integrity 95. Tests for Minimal Endpoint Integrity96. Tests for Medium Endpoint Integrity Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall97. Web Browser Tests Test Settings Mozilla Firefox Browser? Enter the required versions in Table98. Macro Security Tests 99. Other Tests for HotfixesMicrosoft Excel Microsoft Outlook Windows Media Mac QuickTime IIS100. Windows Automatic Updates 101. Tests for ApplicationsOptions Your selection 102. Tests for Services 103. Tests for Shared Connections104. Tests on Mac Airport Windows Bridge Network Connection Mac Internet SharingSpecified as allowed Lay Out the Network Core Resources105. Test for Windows Startup Registry Entries T e Access Zones for Endpoints Public Wired ZoneVlan Assignment and Other Dynamic Settings. You can set up 106. Public Wired Zone Policies 133Public Wireless Zone 108. Public Wireless Zone PoliciesDesigning Access Controls 109. Capabilities of ProCurve Wireless Products Product Software Version Radios Modes WLANsSoftware Authentication EAP Method forVersion Methods 802.1X 111. PoE Requirements on ProCurve RPs and APs 112. ProCurve Products That Support PoELay Out the Network Private Wired Zone 113. Private Wired Zone PoliciesMight otherwise be ignored Private Wireless Zone 115. Private Wireless Zone PoliciesMS-CHAPv2 Remote Zone Designing Access Controls Module VPN Protocol Maximum Encryption NumberTunnels 3DESCombining Access Control Zone Designs Adjacent ZonesOverlapping Zones 117. VPN Capabilities of the ProCurve VPN ClientDesigning Adjacent and Overlapping Zones Adding Access Control to an Existing Network Integrating all Parts of the Network DesignMigrating from One Solution to Another 150 Services and Support ProCurve Elite PartnersImplementation Other ResourcesElements of Each Access Control Solution Elements SolutionOther Resources Appendix a Glossary NumericSee also Dhcp deployment method and inline deployment method Access point See AP Appendix a GlossaryAgent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Extensible See EAP Authentication Protocol GTC See EAP-GTC Enforcement See ES. serverInline quarantine method Appendix a Glossary Lightweight See LDAP. directory access Protocol Management See MS. serverMirroring, remote See remote mirroring Appendix a Glossary Appendix a Glossary Peer-to-peer Permanent agentPoE Posture See integrity posture Pre-shared key See PSKPublic key See PKI. infrastructure Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution Deep Check Testing ProCurve NACSMB Signing Post-Connect NAC Testing Integration with Microsoft SMSSupport for Rdac Dhcp Plug-in Deployment Identity Driven Manager Better synchronization with Microsoft Active DirectoryProCurve Access Control Solution Microsoft NAP NAP ComponentsNAP client NAP enforcement pointActive Directory domain service NAP health policy server NPSHealth requirement servers Restricted networkNAP Client Architecture NAP Enforcement Clients ECsSystem Health Agents SHAs NAP AgentNAP Server Architecture Figure A-4. Client-Side NAP ArchitectureNAP Enforcement Point Table A-2. NAP ECs and Corresponding NAP Enforcement PointsNAP Enforcement Point Network Access Methods Health Requirement ServersIPsec Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp VPN Access 802.1X AuthenticationFigure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Choose the Endpoint Integrity Solution Existing Network EnvironmentVulnerability to Risks and Risk Tolerance Existing Network Environment OptionManagement Resources Risk ToleranceInteroperability Requirements Factor Weight Selection Bringing the Factors TogetherInteroperability Option Requirements Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process