This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
– RADIUS Authentication (802.1X, WebAuth, MACAuth): the most secure access control
– In-Line: effective for remote access clients– DHCP: endpoint integrity validation for non-802.1X networks
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 9
17
Network Access Control Appliance
Simplifies deployment by integrating many components of the access control solution into a network appliance
• Network rack-mountable: 1U and shallow-depth• Authentication service (RADIUS)• IDM agent for adaptive network access policies• Local Authentication Directory• Endpoint integrity assessment
– Automatic updates for integrity rules, security checks, etc.
• Manageable by the PCM+ / IDM management server
18
Endpoint Integrity Checks
• Antivirus, spyware, firewalls, peer-to-peer, allowed and prohibited programs and services
• OS versions, services packs, hotfixes
• Security settings for browsers and applications
New tests developed and delivered regularly
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 10
19
Endpoint Integrity Tests
Operating systems Service Packs Windows 2000 hotfixes Windows Server 2003 SP1 hotfixes Windows Server 2003 hotfixes Windows XP SP2 hotfixes Windows XP hotfixes Windows automatic updates
Browser security policy IE internet security zone IE local intranet security zone IE restricted site security zone IE trusted site security zone IE version
Security settings MS Excel macros MS Outlook macros MS Word macros Services not allowed Services required Windows Bridge Network Connection Windows security policy Windows startup registry entries allowed
P2P and instant messaging Altnet AOL instant messenger BitTorrent Chainsaw Chatbot DICE dIRC Gator Hotline Connect Client IceChat IRC client ICQ Pro IRCXpro Kazaa Kazaa Lite K++ leafChat Metasquarer mlRC Morpheus MyNapster MyWay NetIRC NexIRC Not Only Two P2PNet.net PerfectNav savIRC
Personal firewalls AOL Security Edition Black ICE Firewall Computer Associates EZ
Firewall Internet Connection Firewall
(Pre XP SP2) McAfee Personal Firewall Panda Internet Security F-Secure Personal Firewall Norton Personal Firewall /
Internet Security Sygate Personal Firewall Symantec Client Firewall Tiny Personal Firewall Trend Micro Personal Firewall ZoneAlarm Personal Firewall Senforce Advanced Firewall Windows Firewall
MS Office version check Microsoft Office XP Microsoft Office 2003 Microsoft Office 2000
Anti-spyware Ad-Aware SE Personal Ad-Aware Plus Ad-Aware Professional CounterSpy McAfee AntiSpyware Pest Patrol Spyware Eliminator Webroot Spy Sweeper Windows Defender
• Access to network is controlled via DHCP management by ProCurve NAC
• ProCurve NAC enforces Endpoint Integrity validation of DHCP clients
Slide 25
k5 This is an alternate view for the previous slide on "InLine Mode for Remote Access"
This version removes the firewall, which is common, but not required. This allows for a larger version of the ProCurve NAC productkevin_porter, 2/7/2007
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 14
27
IDM + ProCurve NAC 800 + EI AgentsAdaptive Access Control with Endpoint Integrity For organizations who want a complete Access Control solution …
• Authenticated users – protects the network from unauthorized users and devices
• Adaptive network access rights – provides appropriate network access based on business policies for the user
• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
28
IDM and ProCurve NAC Use ModelsAdaptive Network Accesswith Endpoint Integrity
ProCurve NAC 800w/ProCurve NAC Agent Licenses
UnknownOn Remediation
VLAN to be tested
FailedOn Remediation
VLAN, will be retested at next authentication
PassedConnected to
Corporate VLAN
Corporate VLANRemediation VLAN
• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses
• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used
• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:
– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested
now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing
• IDM also sets ACLs, QoS, and Bandwidth limits based on access policy
• Works for both wired and wireless ProCurve edge devices
PCM/IDM Server
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 15
29
IDM + ProCurve NAC 800Adaptive Access Control
For organizations who want to control network users and provide adaptive network access
• Authenticated users – protects the network from unauthorized users and devices
• Adaptive network access rights – provides appropriate network access based on business policies for the user
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
30
Faculty VLANStudent VLAN
IDM and ProCurve NAC Use ModelsAdaptive Network Access
ProCurve NAC 800
StudentConnected to Student VLAN
Faculty MemberConnected to Faculty VLAN
•Solution includes IDM and ProCurve NAC 800
•Clients authenticate via 802.1X, and are placed on VLAN based IDM Access Policy.
– The IDM access policy can also set ACLs, QoS, and Bandwidth Limits
•Works for both wired and wireless ProCurve edge devices
Guest VLAN
GuestConnected to Guest VLAN
Management VLAN
PCM/IDM Server
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 16
31
ProCurve NAC 800 + EI AgentsAccess Control with Endpoint Integrity
For organizations who want to enforce system software requirements and protect their network from harmful systems …
• Endpoint Integrity – protects the network from harmful systems and enforces system software requirements
• Authenticated users – protects the network from unauthorized users and devices
• Ease of deployment and management – enables businesses to implement an effective NAC solution today
32
ProCurve NAC 800 + EI Agents Access Control with Endpoint Integrity
ProCurve NAC 800w/ProCurve NAC Agent Licenses
UnknownOn Remediation
VLAN to be tested
FailedOn Remediation
VLAN, will be retested at next authentication
PassedConnected to
Corporate VLAN
Corporate VLANRemediation VLAN
• Solution includes: IDM, ProCurve NAC 800, and ProCurve NAC EI Agent Licenses
• Remediation VLAN configured to all secured edge ports, in addition to all other company VLANs used
• Clients authenticate via 802.1X, and are placed on VLAN based on EI status:
– Corporate VLAN if the have recently passed EI testing– Remediation VLAN if they are Unknown … will be tested
now and reauthenticated if they pass the EI test– Remediation VLAN if they fail EI testing
• Works for both wired and wireless ProCurve edge devices
ProCurve Adaptive Edge Devices
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 17
33
IDM and ProCurve NAC 800 Use ModelsEnterprise with Remote Office
Corporate VLANRemediation VLAN
ProCurve NAC 800 Procurve NAC 800ProCurve NAC 800
Main Enterprise SiteRemote Office
PCM/IDM Server
ManagerProCurve NAC 800
34
AccountingRADIUS
AccountingIDM Reports
SessionCounters
ProCurve Access Control SolutionLayers of Security
Authorization
802.1X supplicant
Endpoint Integrity
802.1X
Integrity
Authentication RADIUS
IDMAccess Policy Rules
VLAN, ACL, QoS, Rate-limit
Endpoint Integrity
Client Switch
RADIUS
RADIUS
WebAuthMAC Auth
Web Browser
IT-Symposium 2007 18.04.2007
www.hp-user-society.de 18
35
Summary
ProCurve provides a comprehensive and manageable Access Control solution to prevent untrusted network use on both campus and distributed sites
• A deployable and manageable solution
• Suitable for current environments and extensible to future needs
• Protects network from harmful and infected systems
• Enforces business policies regarding network access rights
• Unified access control for LAN, WLAN, and WAN
The ProCurve Access Control solution helps administrators deploysecured network access based on business policy