HP Access Control Client Software guide

Access Control Concepts

ProCurve NAC 800

Because remediation is a key component of an endpoint integrity solution, the NAC 800 does not follow this strategy. Instead, it places quarantined endpoints in a subnet that exists in the private network, albeit in carefully controlled way.

You can establish the quarantine subnet in one of these ways:

■The NAC 800 assigns to quarantined endpoints IP addresses that are valid but unused in the production network. The quarantined “subnet” is not truly a subnet, but rather an unused subset of an existing subnet.

For example, the network includes three Class C user subnets, each with 100 users:

•10.1.2.0/24

•10.1.3.0/24

•10.1.4.0/24

The DHCP server assigns users addresses in the 25 to 125 range—for example, 10.1.2.25 to 10.1.2.125. The second half of each subnet (10.1.X.128/25) is available for quarantined endpoints:

•Quarantine “subnet” = 10.1.2.128/25

•Quarantine “subnet” = 10.1.3.128/25

•Quarantine “subnet” = 10.1.4.128/25

Of course, the scopes on the network DHCP server must exclude these addresses so that a healthy endpoint is not inadvertently assigned an address in the quarantined subset.

■The network administrator multinets the quarantine subnet on an existing VLAN. Each VLAN requires its own quarantine subnet.

For example, the network includes two Class C subnets, each with

250 users:

•192.168.8.0/24

•192.168.12.0/24

A quarantine subnet isolates non-compliant endpoints from each existing subnet:

•Quarantine subnet = 192.168.9.0/24

•Quarantine subnet = 192.168.13.0/24

The network administrator sets up multinetting on infrastructure devices to accommodate the quarantine subnets. For example, a routing switch could have this configuration:

•VLAN 2

IP address = 192.168.8.1/24 IP address = 192.168.9.1/24

1-50

Image 64

HP Access Control Client Software manual IP address = 192.168.8.1/24 IP address = 192.168.9.1/24

Contents

ProCurve Solutions Page ProCurve Access Control Security Applicable ProCurve Products Contents Customer Needs Assessment Evaluate the Existing Network Environment Designing Access Controls Endpoint Capabilities and Administrative Control Page Appendix a Glossary Index Page Page Page Access Control Concepts Contents Access Control Concepts Introduction to Access Control Network Access Control Access Control Concepts Network Access Control Technologies AAA Authentication Authorization T e Accounting NAS ID Endpoint Network Access Control ArchitecturePolicy Enforcement Point PEP Policy Decision Point PDP Access Control Concepts Policy Repository Network Access Control Process Network Access Control Architecture Authentication-Based Network Access Control Methods MAC-Auth Introduce security vulnerablities MAC-Auth Process Web-Auth Web-Auth Process 802.1X 802.1X Process Authentication Requirements Authentication ProtocolsMAC-Auth-None PAP MS-CHAPv2 EAP Access Control Concepts Access Control Concepts Radius NAS ID 802.11 Wireless AuthenticationT e Static Wired Equivalent Privacy WEP Dynamic WEP WPA/WPA2 Access Control Rights-Dynamic Settings VLANs Devices ACLs Endpoint Integrity Endpoint Integrity Policies Pre-connect and Post-connect Testing Security SettingsSoftware Operating System Testing Methods Access Control Concepts Endpoint Requirements for Integrity Checking WMI Endpoint Integrity Posture Quarantine Methods User’s assignment and places him or her in a quarantine Vlan T e NAC 800 as an Endpoint Integrity Only Solution ProCurve NAC 802.1X Deployment Process for 802.1X Quarantining Endpoint Integrity Only. With each other Dhcp Deployment T e IP address = 192.168.8.1/24 IP address = 192.168.9.1/24 Inline Deployment Method NAC 800 as a RADIUS-Only Solution Solution NAC 800 as Both a Radius Server and an Endpoint Integrity Access Control Concepts User Authenticates and Is Placed in the Test Vlan Access Control Concepts User Re-authenticates and Is Placed in the Appropriate Vlan ProCurve IDM Wlan IAS, and the IDM agent on the same Windows Server Radius Process with IDM Customer Needs Assessment Customer Needs Assessment Overview Customer Needs Assessment Types of Users Employees Temporary Employees Guests Network Skills Recording Information about Users Network Users Wireless Connections Wired ConnectionsTypes of Connections Remote Connections Group Permitted Connections Access Times Network ResourcesRecording the Types of Connections Available to Users Access Control Zones Wireless and Wired Zones Access Control Zones Customer Needs Assessment Determine Risk Tolerance Regulations Federal Information Security Management Act Regulatory Compliance Quantify Your Company’s Risk Tolerance Vulnerability to Attacks Attack VectorsExternal Attacks Internal Attacks Types of Attacks Malware Viruses and Worms Customer Needs Assessment Customer Needs Assessment Size Evaluate the Existing Network EnvironmentEdge Devices Recording Information about Network Switches Switch Vendor Firmware LocationPort Mirroring Model Number Version Supported Monitoring Spanning AP as a Supplicant Workstations and Laptops EndpointsRecording Information about APs Customer Needs Assessment Other Endpoints Recording Information about Workstations and LaptopsLaptop or Quantity User Operating Applications Workstation System Network Radius Servers Directory ServiceRecording Information about Other Endpoints Routing Information Subnets and VLANsDchp Servers Network Diagram Sample Network Diagram Determine Your Endpoint Integrity Requirements Browser Security Policy-Windows Customer Needs Assessment Default Settings for Internet Explorer Zones Select Security Settings for Your CompanyZone Default Setting Security Settings-Windows Security Settings-OSOperating System-Windows Software-Windows Human Factor Control over Network Resources IT Department Workload Users’ Cooperation Customer Needs Assessment Customer Needs Assessment Designing Access Controls Endpoint Capabilities and Administrative Control Designing Access Controls Select an EAP Method for 802.1X 106 Comprehensive Security Policy Components Designing Access Controls Process of Designing Access Control Security Example Network Diagram of the PCU Campus Designing Access Controls PCU Campus Zones Network Infrastructure Divided into Access Zones Choose the Access Control Methods Advantages and Disadvantages of Access Control Methods High Endpoints that accessHigh effort to Security Concerns by Zone Network Access Zones SecuritySecurity Zone Private Public Wired Zone Security Concerns Wireless Zone Security Concerns WEP Wireless Security WPA/WPA2 Tkip CCMP-AES Web-Auth None by default Do your endpoints have 802.1X supplicants? Vulnerability and Risk Tolerance Selecting an Access Control Method Based on Security Needed Technical Knowledge CharacteristicsUser Type and Sophistication Example Access Control Method by User Sophistication Level MAC-Auth Web-Auth 802.1X Administrative Workload Access Control Method by User Type and Sophistication Access Control Method by Administrative Workload Endpoint Compatibility of Access Control Methods 10. Configuration of PCU’s Endpoints Hardware Type of Interface Operating System Administrative Control over Endpoints 11. Access Control Method by Endpoint Capabilities 13. Access Control Method by Administrative Control Level 12. Administrative Control LevelsDescription Switch Series MAC-Auth Web-Auth 802.1X 14. Authentication Method by Administrative ControlNetwork Infrastructure Devices 17. Access Control Method by Existing Infrastructure New capabilities for these wireless productsProCurve Product Software Version MAC-Auth Web-Auth 802.1X Network Infrastructure Devices as 802.1X Supplicants ProCurve Switches 802.1X Supplicant Bringing All of the Factors Together 19. Access Control Methods by Feasibility Them 20. Preliminary Decisions for the Access Control Method Factor Weight Private Wired Public Wired 21. Preliminary Decisions for the Access Control Method 22. Access Control Methods for Each Zone Make Decisions about Remote Access VPNZone Access Control Method 23. Disadvantages of Remote Access Decide Whether to Grant Remote AccessDisadvantages Mitigating Factors Select VPN Options 24. Advantages of Remote AccessAdvantages Explanation 25. Options for VPN Protocols Vulnerability and Risk Assessment DSA 26. Selecting VPN Options Based on Security Needs They have? Router or firewall Administrative Workload and IT Budget Designing Access Controls 29. Endpoint Compatibility for Remote Access Native Capabilities With VPN Client Existing Network Infrastructure 30. Selecting VPN Options Based on Endpoint Bringing All Factors Together 32. Preliminary Decisions for VPN Options 33. PCU’s Preliminary Decisions for VPN Options Access Control Method Choose the Endpoint Integrity Deployment Method MAC-Auth 35. Deployment Method by Access Control Method Vulnerability to Risks and Risk Tolerance Designing Access Controls Factor Private Wired Public Wired Public Wireless Remote36. Security Level of Deployment Methods 37. Deployment Method by Security Connection Type Wireless38. Deployment Method by Existing Network Infrastructure Bringing the Factors Together Wireless Connection type Inline39. Deployment Method by Connection Type 42. Deployment Method by Zone Factor Weight Private Wired Public Wired Remote WirelessZone Deployment Method 43. Summary of Testing Methods Choose Endpoint Integrity Testing MethodsTesting Method Advantages Disadvantages Requirements for Testing Methods NAC EI Agent InstallShield Wizard for the NAC EI Agent Requirements for ActiveX Testing Advantages and Disadvantages of NAC Agent TestingActiveX Advantages and Disadvantages of ActiveX Testing Agentless Requirements for Agentless Testing Deciding Which Testing Methods to EnableAdvantages and Disadvantages of Agentless Testing Transparent Testing Designing Access Controls Testing with User Interaction Testing methods Designing Access Controls Factors to Consider for Testing Methods Administrative Control over Endpoints 44. Testing Method by Control over Endpoints 45. Testing Method by Administrative ControlFactor Public Wired Private Wired Private Wireless Remote Post-Connect Testing 46. Testing Methods by Post-Connect Testing 47. Testing Method by Post-Connect Testing User Sophistication 49. Testing Methods for User Sophistication 48. Testing Method by User SophisticationPrivate Remote Wireless 50. Testing Methods by Administrative Workload Administrative WorkloadAgentless ActiveX NAC IE Agent 51. Testing Methods for Administrative Workload Network Overhead 52. Testing Method by Network Overhead 53. Preliminary Decisions for Testing MethodsFactor Public Wired Bringing All of the Factors Together 54. Preliminary Decisions for Testing Method Network Authentication Architecture Choose Radius Servers Radius Servers in a Network Without Endpoint Integrity Choose Which Devices Will Play the Role of PDP 55. General Combination 56. Integrated Server Combination57. Integrated Server/Proxy Combination 58. Turnkey Server 60. Fully Integrated Combination 61. Alternate Integrated Server/Proxy CombinationPEPs with Built-in PDPs PEPs with Built-in PDPs and Policy/Credential Repositories Users Combination Wired Per LAN Wireless Per LAN Total WAN 64. Scalability of Access Control Component Combinations 65. Access Control Component CombinationsMost Scalable Least Scalable Choose an Access Control Architecture Designing Access Controls 67. Radius Server Locations Centralizing Policies 68. Radius Server Locations Eliminating Inter-Site Traffic 69. Radius Server Locations Reducing Inter-Site Traffic Determine the Number of Radius Servers 70. Radius Server Locations for PCU Choose Your Radius Servers and Finalize the Plan Radius Server Decision Tree Designing Access Controls IAS as the Radius Server Does your organization already use IAS for other functions? NAC 800 as the Radius Server 72. Integrated Server/Proxy for the NAC 71. General Combination for the NAC73. Turnkey Server Combination for the NAC Wireless Edge Services Module Database Designing Access Controls IDM Overview Add ProCurve IDMDetermine If You Need IDM Design Parameters for a Network with IDM Create Access Policy Groups Add Users 10. EAP Method Decision Flowchart Select an EAP Method for Designing Access Controls 75. EAP Methods Supported by 802.1X Supplicants Supplicant EAP-TNC EAP-LEAP Not 76. EAP Methods Supported by Radius ServersServer Designing Access Controls Finalize Security Policies User Groups and Policies77. Final Security Policy by Zone 78. Example Security Policy by Zone Access Group Policies with IDM 79. Access Profiles Access ProfileAccess Profiles 80. Dynamic VLANs 81. Dynamic VLANs for PCU 82. Resources by Entire Vlan 83. ResourcesResource Vlan ID Subnet Address Resource IP Address Protocol 84. PCU Resources by Vlan 85. PCU Resources 86. Resources Allowed in Access Profiles Access Profile Resources 87. Resources Allowed in PCU Access Profiles Access Profile Resource Faculty Web servers, white pages Library catalog and printer 88. Resources Allowed in Access Profiles Resources Rate Limit QoS 89. Access Policy Group Rules 90. Sample Access Policy Group Rules for PCUAccess Policy Inputs Group Location Time System Outputs-Access Profile Access Policies without IDM 91. Radius Attributes in Access Requests Attribute Explanation Value for My Policy 93. Dynamic Settings for My Policies 92. Authentication Protocols for My PoliciesAttribute Policy 1-Setting Policy 2-Setting Create the NAC Policies Design NAC Policy Groups Design NAC Policies 94. Tests for Minimal Endpoint Integrity 95. Tests for Minimal Endpoint Integrity 96. Tests for Medium Endpoint Integrity Anti-Virus Anti-Spyware Personal Firewalls Mac Firewall 97. Web Browser Tests Test Settings Mozilla Firefox Browser? Enter the required versions in Table 98. Macro Security Tests 99. Other Tests for HotfixesMicrosoft Excel Microsoft Outlook Windows Media Mac QuickTime IIS 101. Tests for Applications 100. Windows Automatic UpdatesOptions Your selection 102. Tests for Services 103. Tests for Shared Connections104. Tests on Mac Airport Windows Bridge Network Connection Mac Internet Sharing Specified as allowed Core Resources Lay Out the Network105. Test for Windows Startup Registry Entries T e Access Zones for Endpoints Public Wired Zone Vlan Assignment and Other Dynamic Settings. You can set up 106. Public Wired Zone Policies 133 Public Wireless Zone 108. Public Wireless Zone Policies Designing Access Controls 109. Capabilities of ProCurve Wireless Products Product Software Version Radios Modes WLANs EAP Method for Software AuthenticationVersion Methods 802.1X 111. PoE Requirements on ProCurve RPs and APs 112. ProCurve Products That Support PoE Lay Out the Network Private Wired Zone 113. Private Wired Zone Policies Might otherwise be ignored 115. Private Wireless Zone Policies Private Wireless ZoneMS-CHAPv2 Remote Zone Designing Access Controls Module VPN Protocol Maximum Encryption NumberTunnels 3DES Combining Access Control Zone Designs Adjacent ZonesOverlapping Zones 117. VPN Capabilities of the ProCurve VPN Client Designing Adjacent and Overlapping Zones Adding Access Control to an Existing Network Integrating all Parts of the Network Design Migrating from One Solution to Another 150 Services and Support ProCurve Elite Partners Implementation Other Resources Elements of Each Access Control Solution Elements Solution Other Resources Appendix a Glossary Numeric See also Dhcp deployment method and inline deployment method Access point See AP Appendix a Glossary Agent See NAC EI agent Appendix a Glossary Appendix a Glossary Appendix a Glossary Digital certificate See certificate EI See endpoint integrity Extensible See EAP Authentication Protocol GTC See EAP-GTC Enforcement See ES. server Inline quarantine method Appendix a Glossary Management See MS. server Lightweight See LDAP. directory access ProtocolMirroring, remote See remote mirroring Appendix a Glossary Appendix a Glossary Permanent agent Peer-to-peerPoE Pre-shared key See PSK Posture See integrity posturePublic key See PKI. infrastructure Radio port See RP Remote procedure See RPC. call Appendix a Glossary Appendix a Glossary Appendix a Glossary Appendix a Glossary Html Appendix a Glossary Appendix a Glossary Index See DNS EAP … 1-21, 1-25, 1-53 EAP GTC … See Imsi OS-X See SOX security policies TLS See WEP Contents Contents Overview ProCurve Access Control Solution Enhancements to the ProCurve Access Control Solution ProCurve NAC Deep Check TestingSMB Signing Integration with Microsoft SMS Post-Connect NAC TestingSupport for Rdac Dhcp Plug-in Deployment Identity Driven Manager Better synchronization with Microsoft Active Directory ProCurve Access Control Solution Microsoft NAP NAP Components NAP client NAP enforcement point Active Directory domain service NAP health policy server NPSHealth requirement servers Restricted network NAP Client Architecture NAP Enforcement Clients ECsSystem Health Agents SHAs NAP Agent NAP Server Architecture Figure A-4. Client-Side NAP Architecture Table A-2. NAP ECs and Corresponding NAP Enforcement Points NAP Enforcement PointNAP Enforcement Point Health Requirement Servers Network Access MethodsIPsec Figure A-5. IPsec-Protected and Unprotected Communications Figure A-6. HRA Network Access Dhcp VPN Access 802.1X Authentication Figure A-9. Ieee 802.1X Network Access Remediation and Health Requirement Servers Updating the Access Control Design Process Choose the Endpoint Integrity Solution Existing Network Environment Vulnerability to Risks and Risk Tolerance Existing Network Environment Option Management Resources Risk Tolerance Interoperability Requirements Bringing the Factors Together Factor Weight SelectionInteroperability Option Requirements Choose the Endpoint Integrity Deployment Method Updating the Access Control Design Process Updating the Access Control Design Process