HP ProCurve Access Control Client Security Solutions

ProCurve Solutions

Access Control Security Design Guide 2.1

www.procurve.com

ProCurve Access Control Security

Design Guide

April 2008

2.1.XX

This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, re produced, or translated into another language without the prior written consent of Hewlett-Packard.

Applicable ProCurve Products

Network Access Controller 800 (J9065A)

ProCurve Manager Plus (J9056A)

Identity Driven Manager (J9012A)

IPsec VPN Base Modules (J9026A, J8471A)

Secure Router 7102dl (J8752A)

Secure Router 7203dl (J8753A)

Switch 5406zl (J8697A)

Switch 5406zl-48G (J8699A)

Switch 5412zl (J8698A)

Switch 5412zl-96G (J8700A)

Switch 5304xl (J4850A)

Switch 5304xl-32G (J8166A)

Switch 5308xl (J4819A)

Switch 5308xl-48G (J8167A)

Switch 5348xl (J4849A)

Switch 5372xl (J4848B)

Switch 8212zl (J8715A)

Wireless Edge Services xl Module (J9001A)

Redundant Wireless Services xl Module (J9003A)

Wireless Edge Services zl Module (J9051A)

Redundant Wireless Services zl Module (J9052A)

AP 530 (J8986A)

AP 420 na/ww (J8130B, J8131B)

RP 210 (J9004A)

RP 220 (J9005A)

RP 230 (J9006A)

Trademark Credits

ActiveX, Microsoft, Windows, Windows NT, and Windows XP are U.S. registered trademarks of Microsoft Corporation.

Apple, Mac OS, and QuickTime are registered trademarks of Apple, Inc.

CRYPTOCard is a registered trademark of Cryptocard Corporation.

eDirectory, NetWare, Novell, and SUSE are registered trademarks of Novell, Inc.

Juniper Networks is a registered trademark of Juniper Networks, Inc.

Linux is a registered trademark of Linus Torvalds.

OpenLDAP is a registered trademark of the OpenLDAP Foundation.

Red Hat is a registered trademark of Red Hat, Inc.

Solaris is a registered trademark of Sun Microsystems, Inc.

Steel-Belted Radius is a registered trademark of Funk Software, Inc.

Disclaimer

HEWLETT-PACKARD COMPANY MAKES NO WARRANTY OF ANY KIND WITH REGARD TO THIS MATERIAL, INCLUDING, BUT NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not be liable for errors contained herein or for incidental or consequential damages in connection with the furnishing, performance, or use of this material.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.

Hewlett-Packard assumes no responsibility for the use or reliability of its software on equipment that is not furnished by Hewlett-Packard.

War rant y

See the Customer Support/Warranty booklet included with the related products.

A copy of the specific warranty terms applicable to your Hewlett-Packard products and replacement parts can be obtained from your HP Sales and Service Office or authorized dealer.

Open Source Software Acknowledgment Statement

This software incorporates open source components that are governed by the GNU General Public License (GPL), version 2. In accordance with this license, ProCurve Networking will make available a complete, machinereadable copy of the source code components covered by the GNU GPL upon receipt of a written request. Send a request to:

Hewlett-Packard Company, L.P. Wireless Edge Services xl Module Program GNU GPL Source Code Attn: ProCurve Networking Support MS: 5550 Roseville, CA 95747 USA

Hewlett-Packard Company 8000 Foothills Boulevard Roseville, California 95747 http://www.procurve.com/

1 Access Control Concepts

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4

Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Network Access Control Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Policy Enforcement Point (PEP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Policy Decision Point (PDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12

Policy Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Network Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Authentication-Based Network Access Control Methods . . . . . . . . . 1-16

MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16

Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19

802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21

Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

MS-CHAPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28

Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-31

Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32

Access Control Rights—Dynamic Settings . . . . . . . . . . . . . . . . . . . . . 1-33

VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35

Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Endpoint Integrity Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36

Pre-connect and Post-connect Testing . . . . . . . . . . . . . . . . . . . . . 1-37

Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38

Endpoint Requirements for Integrity Checking . . . . . . . . . . . . . . 1-40

Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

Quarantine Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42

ProCurve NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45

NAC 800 as an Endpoint Integrity Only Solution . . . . . . . . . . . . . . . . 1-45

802.1X Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46

DHCP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48

Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

NAC 800 as a RADIUS-Only Solution . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52

NAC 800 as Both a RADIUS Server and an Endpoint

Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53

ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58

2 Customer Needs Assessment

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

Types of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

Temporary Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Guests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6

Network Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7

Recording Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

Types of Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Wired Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Wireless Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9

Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10

Recording the Types of Connections Available to Users . . . . . . . . . . 2-10

Access Control Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11

Determine Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15

Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16

Regulatory Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18

Quantify Your Company’s Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . 2-18

Vulnerability to Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Internal Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19

Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20

Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21

Viruses and Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22

Evaluate the Existing Network Environment . . . . . . . . . . . . . . . . . . 2-25

Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Edge Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25

Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28

Workstations and Laptops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28

Other Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30

RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31

Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Subnets and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

DCHP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32

Network Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33

iii

Determine Your Endpoint Integrity Requirements . . . . . . . . . . . . . 2-34

Browser Security Policy—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34

Select Security Settings for Your Company . . . . . . . . . . . . . . . . . 2-36

Operating System—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Security Settings—OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Security Settings—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37

Software—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38

The Human Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39

Control over Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39

IT Department Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

Users’ Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40

3 Designing Access Controls

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

Comprehensive Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5

The Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6

The Process of Designing Access Control Security . . . . . . . . . . . . . . . 3-8

Example Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

Choose the Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13

Network Access Zones: Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15

Wired Zone Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16

Wireless Zone Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . 3-17

Vulnerability and Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

User Type and Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23

Administrative Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24

Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26

Administrative Control over Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 3-27

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28

Network Infrastructure Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30

Network Infrastructure Devices as 802.1X Supplicants . . . . . . . 3-31

Bringing All of the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34

Make Decisions about Remote Access (VPN) . . . . . . . . . . . . . . . . . . . 3-36

Decide Whether to Grant Remote Access . . . . . . . . . . . . . . . . . . . . . . 3-37

Select VPN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38

Vulnerability and Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41

User Type and Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43

Administrative Workload and IT Budget . . . . . . . . . . . . . . . . . . . . . . . 3-44

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44

Endpoint Capabilities and Administrative Control

over Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46

Existing Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47

Bringing All Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49

Choose the Endpoint Integrity Deployment Method . . . . . . . . . . . . 3-51

Access Control Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51

MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53

Vulnerability to Risks and Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . 3-53

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55

Existing Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56

Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56

Bringing the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57

Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57

Choose Endpoint Integrity Testing Methods . . . . . . . . . . . . . . . . . . . 3-59

Requirements for Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60

NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60

Advantages and Disadvantages of NAC Agent Testing . . . . . . . . 3-62

ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62

Requirements for ActiveX Testing . . . . . . . . . . . . . . . . . . . . . . . . . 3-62

Advantages and Disadvantages of ActiveX Testing . . . . . . . . . . . 3-63

Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63

Requirements for Agentless Testing . . . . . . . . . . . . . . . . . . . . . . . 3-64

Advantages and Disadvantages of Agentless Testing . . . . . . . . . 3-64

Deciding Which Testing Methods to Enable . . . . . . . . . . . . . . . . . . . . 3-64

Transparent Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-65

Testing with User Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67

Factors to Consider for Testing Methods . . . . . . . . . . . . . . . . . . . . . . 3-69

Administrative Control over Endpoints . . . . . . . . . . . . . . . . . . . . 3-69

Post-Connect Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-71

User Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-72

Administrative Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-74

Network Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75

Bringing All of the Factors Together . . . . . . . . . . . . . . . . . . . . . . . 3-76

Choose RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-78

RADIUS Servers in a Network Without Endpoint Integrity . . . . . . . . 3-79

Choose Which Devices Will Play the Role of PDP . . . . . . . . . . . . 3-79

Choose an Access Control Architecture . . . . . . . . . . . . . . . . . . . . 3-84

Determine the Number of RADIUS Servers . . . . . . . . . . . . . . . . . 3-89

Choose Your RADIUS Servers and Finalize the Plan . . . . . . . . . 3-90

RADIUS Servers in a Network With Endpoint Integrity (802.1X

Quarantining) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93

IAS as the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93

NAC 800 as the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-94

Add ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98

IDM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98

Determine If You Need IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98

Design Parameters for a Network with IDM . . . . . . . . . . . . . . . . . . . . 3-99

Add Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100

Create Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100

Select an EAP Method for 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101

Finalize Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

User Groups and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106

Access Group Policies with IDM . . . . . . . . . . . . . . . . . . . . . . . . . 3-107

Access Policies without IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117

Create the NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-120

Design NAC Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-120

Design NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-121

Lay Out the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-129

Core Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-129

Access Zones for Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-131

Public Wired Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-131

Public Wireless Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-134

Private Wired Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-140

Private Wireless Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-142

Remote Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-143

Combining Access Control Zone Designs . . . . . . . . . . . . . . . . . . . . . 3-146

Adjacent Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-146

Overlapping Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-146

Designing Adjacent and Overlapping Zones . . . . . . . . . . . . . . . . 3-147

Integrating all Parts of the Network Design . . . . . . . . . . . . . . . . . . 3-148

Adding Access Control to an Existing Network . . . . . . . . . . . . . . . . 3-148

Migrating from One Solution to Another . . . . . . . . . . . . . . . . . . . . . . 3-149

4 Other Resources

Services and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

ProCurve Elite Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

ProCurve Network Access Controller 800 Implementation Start-up

Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2

A Appendix A: Glossary

Index

vii

Addendum to the ProCurve Access Control Security Design Guide

Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1

Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3

ProCurve Access Control Solution 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . A-4

Enhancements to the ProCurve Access Control Solution 2.1 . . . . . . A-5

ProCurve NAC 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

SMB Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Deep Check Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6

Post-Connect NAC Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

Integration with Microsoft SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

Support for RDAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7

DHCP Plug-in Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8

Identity Driven Manager 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9

Microsoft NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11

NAP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11

NAP Client Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14

NAP Enforcement Clients (ECs) . . . . . . . . . . . . . . . . . . . . . . . . . A-14

System Health Agents (SHAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14

NAP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14

NAP Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15

NAP Enforcement Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-16

NPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-16

Health Requirement Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17

Network Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17

IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17

DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-20

VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21

802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21

Remediation and Health Requirement Servers . . . . . . . . . . . . . A-23

viii

Updating the Access Control Design Process . . . . . . . . . . . . . . . . . . A-24

Choose the Endpoint Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . A-25

Existing Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . A-25

Vulnerability to Risks and Risk Tolerance . . . . . . . . . . . . . . . . . A-26

Management Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-27

Interoperability Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . A-28

Bringing the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . A-29

Choose the Endpoint Integrity Deployment Method . . . . . . . . . . . . A-30

Access Control Concepts

Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3

Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5

Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6

Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7

Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9

Network Access Control Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Policy Enforcement Point (PEP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10

Policy Decision Point (PDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11

Policy Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13

Network Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-14

Authentication-Based Network Access Control Methods . . . . . . . . . 1-15

MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15

Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18

802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20

Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22

PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23

MS-CHAPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24

RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27

1-1

Access Control Concepts

Contents

Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29

Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-30

Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30

WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31

Access Control Rights—Dynamic Settings . . . . . . . . . . . . . . . . . . . . . 1-32

VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32

ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34

Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35

Endpoint Integrity Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35

Pre-connect and Post-connect Testing . . . . . . . . . . . . . . . . . . . . . 1-36

Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37

Endpoint Requirements for Integrity Checking . . . . . . . . . . . . . . 1-39

Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41

Quarantine Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41

ProCurve NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44

NAC 800 as an Endpoint Integrity Only Solution . . . . . . . . . . . . . . . . 1-44

802.1X Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45

DHCP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-47

Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50

NAC 800 as a RADIUS-Only Solution . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51

NAC 800 as Both a RADIUS Server and an Endpoint

Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52

1-2

ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57

Access Control Concepts

Introduction to Access Control

Over the last several decades, network connectivity has evolved into a necessary component of nearly every business activity. Users rely on the network for:

■ Data—the information stored in the computing environment

■ Applications—the means of manipulating that data

It is a rare user who accesses only the data and applications stored on an isolated computer system. Instead, a user connects to a network, which allows his or her endpoint—the device used to connect to the network—to access data and applications stored on many systems.

Resources stored and delivered over a network are valuable; they might include medical records, payroll information, customers’ financial records, corporate strategy, and military operation plans. And because the resources are valuable, some people may attempt to hijack them for their own purposes.

To protect resources from misuse (whether malicious or not), you must enforce access controls. Many users associate the words access control with a username and password, submitted to gain access to a particular piece of data or application. However, an access control is any mechanism for dictating which users and devices can access particular resources.

You can control users’ access to resources in three ways:

■ Data access control (enforced on particular data storage devices)

■ Application access control (enforced on particular services)

■ Network access control (enforced at the network edge, where users

connect)

Access control is most effective at protecting resources when the three types work together. But because the network is the means of distributing all data and applications to users, network access control is particularly important as a comprehensive solution. Network access control provides the following functions:

■ Blocks access from unauthorized users at each network entry

point—Securing individual resources is not enough. Even when an attacker cannot reach core resources, he or she can discover much about your network and potentially implement attacks simply by connecting to it. A solution for blocking and controlling users at the edge, before they connect to the network, adds another layer of security to that implemented on individual devices.

1-3

Access Control Concepts

Introduction to Access Control

■ Eliminates frustrations created by piecemeal solutions—A well-

This solution design guide focuses on network access control as the first front in securing your organization’s resources.

Network Access Control

Network access control is the process of controlling who has access to which network resources under what conditions (the time, location, and means of access).

An access control security policy addresses these questions:

■ Who should access the network?

■ What data, services, and other resources on the network should these

■ What conditions should alter the level of access granted to a

designed, centrally administered network access control solution minimizes the number of passwords that users must enter throughout the day. Ideally, the solution begins to control the user’s access as soon as he or she connects to the network and continues to do so without further user interaction.

users access?

particular user?

1-4

It is easy to think of network access control in terms of the first question only and to answer that question in a simplistic fashion: “I want to allow the good guys in and keep the bad guys out.” But, of course, users do not split neatly into “good guys” and “bad guys,” and attacks do not always originate from the outside.

You can more usefully think of access control as granting many different types of users—employees, both temporary and permanent; guests; and customers—the level of access that is appropriate to their needs.

For example, it is appropriate for doctors and nurses in a hospital to access patient records; they need those records to do their jobs. Receptionists at the front desk, on the other hand, do not require such access, so the network should not give it to them. However, the receptionists should, quite appropriately, have access to other network resources (such as appointment databases and scheduling software). And the only resource appropriate for patients and visitors might be the Internet and the hospital’s public Web site.

Access Control Concepts

Introduction to Access Control

The third question raises another important issue: factors beyond a user’s identity can affect the appropriate level of access. For example, a daytime manufacturing worker might require network access during normal working hours from computers near his assembly station, but not at night or from computers in the marketing department.

The means by which the user connects to the network can also be relevant. For example, wireless connections are sometimes more vulnerable to eavesdropping than wired, so a user that is normally allowed to access sensitive data might be prohibited from viewing that same data over a wireless connection. And because a t rusted, well-intentioned user can introduce m alware from within the network by connecting with an improperly secured endpoint, a complete access control solution should examine the integrity of the user’s device in addition to the user’s identity.

Chapter 3: “Designing Access Controls” will discuss these considerations in more depth, guiding you through formulating your own security policy. The remainder of this chapter focuses on the concepts and technologies that underlie network access control.

1-5

Access Control Concepts

Network Access Control Technologies

This solution design guide focuses on two general types of access control:

■ Authentication, authorization, and accounting (AAA)—controls

(and tracks) which users access which resources on the network

■ Endpoint integrity—controls which endpoints are allowed on the net-

work based on their compliance with policies for endpoint security settings

AAA provides the traditional framework for controlling access to the network, whereas endpoint integrity adds the ability to protect the network from potentially compromised endpoints.

The remainder of this chapter covers the protocols and technologies that underlie AAA and endpoint integrity solutions. If you already have a solid understanding of these concepts, you can proceed immediately to Chapter 2: “Customer Needs Assessment.” But remember: designing an access control solution is much less frustrating when you know what choices are available and what those choices entail.

1-6

AAA

Developed by the Internet Engineering Task Force (IETF), AAA dictates how network devices provide:

■ Authentication—determining if users are who they claim to be

■ Authorization—deciding which data and applications users can access

and applying controls to enforce those decisions

■ Accounting—tracking which resources users actually access

AAA allows you to centralize these functions and standardize policies throughout a network. A AAA server makes decisions that edge devices—in AAA, called network access servers (NASs)—enforce.

The NASs and AAA servers communicate using a AAA protocol, of which the two most common are:

■ Remote Access Dial-In User Service (RADIUS)

■ Terminal Access Controller Access Control System Plus (TACACS+)

This guide focuses on RADIUS because it is compatible with most other access control mechanisms.

Network Access Control Technologies

Access Control Concepts

Authentication

Authentication is the process by which a device determines the identity of a user connecting to a network or attempting to access a resource.

Authentication Factors. A human can identify another human in many different ways: by a name, a face, an ID badge, or knowledge of a certain piece of information. And a human can rely on his or her judgment to inform the identification. In the networking world, authentication boils down to a user submitting certain information that an authentication server uniquely associates with that user.

However, the information submitted can take several forms, or factors:

■ Something the user knows—The user submits a password, which the

authentication server has already associated with the user’s name (also submitted during authentication). Assuming that no one else knows the password, the server equates a correct password with an authentic user.

Although relatively easy to deploy, this factor is also the least secure. Users may write down their passwords where anyone can find them; they may tell them to friends and family members; they may select easily guessed passwords. In addition, passwords that are not changed often enough can be cracked, and passwords submitted or stored in an insecure manner can be hijacked.

Still, steps have been taken to address these issues. Databases often store passwords in non-reversibly encrypted form; users may be required to choose non-dictionary passwords and to change passwords frequently. In addition, most authentication protocols require users to submit passwords in encrypted form. You need to consider these issues when you select an authentication protocol because, implemented correctly, passwords are still often a good choice for credentials. (For more information, see “Authentication Protocols” on page 1-23.)

■ Something the user has—The user owns a physical object, such as a

token card or smart card, that identifies him or her, usually by storing credentials that cannot be compromised without destroying the device.

The stored credentials often take the form of a private key/digital certificate. The private key “signs” data to prove that the user, who is identified in the associated digital certificate, is the source of the data.

Instead of being installed on a smart card, the private key/digital certificate can be stored directly on a user’s endpoint. In this case, owning the endpoint (with installed certificate) is what proves the user’s identity.

1-7

Access Control Concepts

Network Access Control Technologies

Unfortunately, although forging these physical devices is difficult, the devices can be lost or stolen. A user might also allow someone else to access his or her endpoint—in fact, this might be a common practice in your organization. Once an unauthorized user possesses the necessary device, he or she can access the network easily.

■ Something the user is—The previous two factors associate individuals

with more or less arbitrary credentials. An increasingly important authentication factor, biometrics attempts to equate users and their credentials, which are physical characteristics, including voice, face geometry, fingerprints, hand geometry, handwriting dynamics, iris pattern, and retinal pattern.

In theory at least, a person’s physical characteristics are unique—and so unalterable and irreproducible. However, to live up to theory, biometrics require sophisticated, and often expensive, equipment. Privacy concerns also cause biometrics to be, while the most secure factor, also the least commonly used.

Each of these factors provides greater security when combined with another for two-factor authentication. For example, a smartcard or certificate installed on an endpoint becomes secure when combined with a password. Even if an unauthorized user seizes control of the device, he or she cannot use it without the correct password.

1-8

Authentication Protocols. An authentication protocol defines the procedure for submitting credentials to the authenticating device (typically, a network server).

RADIUS authentication comes in three forms, each of which uses a protocol developed for point-to-point connections:

■ Password Authentication Protocol (PAP)

■ Challenge Handshake Authentication Protocol (CHAP)

■ Extensible Authentication Protocol (EAP)

You’ll learn more about these protocols and their role in network access control in “Authentication Protocols” on page 1-23.

Authorization

Authorization builds on authentication. Authorization determines which network resources an authenticated user is granted rights to access.

Network Access Control Technologies

Access Control Concepts

Note You can also configure the network to authorize unauthenticated users for

certain—typically, very limited—rights.

In addition to considering whether a user has authenticated successfully, a AAA server assigns rights based on user identity and time and location of access. In other words, authorization is the mechanism that customizes a network for different types of users, providing each user with appropriate network access, rather than blanket “all or none” access.

Therefore, authorization is a particularly important component of a network access control solution. The authorization aspect of network access control also removes some of the burden from data and application access control. For example, you could set up “all or none” access to the network and then control access to application servers separately on each server. But a better solution often adds centralized network access control policies that grant users rights to appropriate services when they first access the network, preventing unauthorized traffic from ever reaching servers.

Authorization rights that are set up on AAA server are often called dynamic or user-based settings because they are assigned to individual users automatically when they connect to the network.

Rights determine:

■ Which resources and services the user can and cannot access—Typically,

you enforce these rights with Virtual LAN (VLAN) assignments and access control lists (ACLs).

Note ProCurve Identity Driven Manager (IDM) will help you set up your polices

more efficiently, as described in “ProCurve IDM” on page 1-58).

As much as possible, you place resources necessary for a particular group of users in the same VLAN. ACLs, applied to routers or to edge devices, permit only the appropriate user groups access to the VLAN in question. For example, if the server with your payroll database were placed on VLAN 7, you would restrict access to this VLAN: you would allow only users in the Accounting group—thereby preventing unauthorized employees from browsing the company payroll.

You can also use rights (specifically, dynamic ACLs) to control which types of services and applications users can access. TCP and UDP, two Transport Layer protocols, assign various applications to specific ports. For example, Web traffic uses TCP port 80 whereas File Transfer Protocol (FTP) traffic uses TCP port 21. To limit a set of users such as guests to browsing Web sites, simply restrict their traffic to TCP port 80.

1-9

Access Control Concepts

Network Access Control Technologies

■ Other settings for the connection such as rate limits and quality of service

(QoS) settings

These settings affect how a user accesses network resources, rather than which resources a user accesses. For example, you can limit a user to 10 Mbps of bandwidth, or you can assign guest users’ traffic low priority.

Accounting

Accounting, the third AAA function, collects information from NASs about users and their activities.

At a minimum, accounting logs users’ authentication requests, creating a record of who has logged in to the network (initial request) and logged out (final request). Just as important for network security, NASs log rejected authentication requests, clueing you in to potential attempts to infiltrate the network.

Accounting reports include information about access requests such as:

■ Username

■ Date and time

■ Transaction type

■ NAS ID

■ User location (for example, the NAS port ID)

■ Amount of data exchanged (reports on ongoing or terminated

connections)

1-10

Although tracking users as they log in and out of the network is important, it is equally important to monitor what they actually do on the network. Many NASs also send periodic reports on connected users, which update the accounting server on the resources that the user has accessed during that period.

A security analyst (usually aided by a security solution) can analyze accounting logs to:

■ Establish a baseline for normal network activity, which can be used for

resource planning and for comparison with future network activity

■ Check for suspicious activity (for example, significant deviations from the

normal activity baseline or multiple rejected access requests)

■ Trigger preemptive action to address suspicious behavior (for example,

shutting down the source port generating rejected requests)

■ Create reports that demonstrate compliance with regulations such as the

Sarbanes-Oxley Act

Network Access Control Technologies

Access Control Concepts

Accounting also enables billing; the accounting logs are forwarded to a billing server, and users are charged for the bandwidth and resources they have consumed.

Network Access Control Architecture

Before turning to methods for implementing a network access control solution, let’s consider the roles network devices play. There are many access control technologies; fortunately, the same basic architecture is used for all of them.

Based on definitions in the Internet Engineering Task Force (IETF) standard for policy-based management, this architecture comprises four logical elements:

■ Endpoint

■ Policy enforcement point (PEP)

■ Policy decision point (PDP)

■ Policy repository

(See Request for Comments [RFC] 3084 and 3198 at http://http://tools.ietf.org/ html/.)

Endpoint

The endpoint is the entity attempting to gain access to the network. Usually a computer (workstation or laptop) or personal digital assistant (PDA), the endpoint can also be a printer, scanner, or any device with a network interface card (NIC).

Note Endpoints are sometimes called stations or clients. This guide will always use

the term endpoint to avoid confusion.

Policy Enforcement Point (PEP)

Acting as the gatekeeper to the network, the PEP enforces access control on the endpoint, typically at the endpoint’s point of access. Thus, the PEP is often a switch or wireless Access Point (AP) at the edge of the network. It can also be a device such as the Wireless Edge Services Module, which controls several coordinated (or lightweight) APs, which ProCurve refers to as radio ports (RPs). In this case, the module is the logical point of access because the RPs encapsulate and forward all traffic to it.

1-11

Access Control Concepts

Network Access Control Technologies

NASs, which you learned about earlier in the AAA section, are also PEPs. The term NAS is typically used when discussing RADIUS. For consistency, however, this chapter will use the term PEP when discussing RADIUS.

The PEP has two roles:

■ Access request generator—Forces endpoints to provide basic informa-

tion about themselves (credentials) before accessing network resources. The PEP uses this information to compose an access request on the endpoint’s behalf.

■ Access decision enforcer—Enforces access decisions by opening or

blocking a port, assigning an endpoint to a particular VLAN, or applying other dynamic settings.

Because the PEP is responsible for initiating and enforcing the access control method, evaluating the PEP’s capabilities is often one of the first steps you should take when designing a network access control solution. This design guide focuses on the many capabilities offered by ProCurve Networking PEPs, which include both wired switches and wireless APs, as well as the Wireless Edge Services Module.

Policy Decision Point (PDP)

Simply put, the PDP makes access decisions. It has three roles:

■ Translator—Converts security policies into device-specific instructions

that PEPs can understand. The most basic instru ction is whether to enable or disable a port, but these instructions can include settings such as the VLAN for the port.

■ Resolver—Settles policy conflicts that arise as a result of divergent

request needs such as requests for a port to be assigned simultaneously to two VLANs.

■ Information aggregator—Collects information from PEPs for manage-

ment and monitoring purposes.

The typical PDP is an authentication server, which might be a software application installed on a computer, a stand-alone appliance, or even a server built into a PEP such as the Wireless Edge Services Module. An endpoint integrity solution, or network access controller, is also a PDP.

The PDPs discussed in this guide are:

■ RADIUS servers

■ Network access controllers

1-12

Network Access Control Technologies

Access Control Concepts

Identity-based management in the form of ProCurve IDM augments the standard PDP translator role. You will learn more about IDM in “ProCurve IDM” on page 1-58. For now, simply know that IDM helps the PDP factor user group, location, time, system, and—with the help of a network access controller—endpoint integrity into its decisions. Based on these inputs, IDM can provide policy instructions to the PEP in the form of various dynamic settings.

The section below gives some examples of RADIUS servers. You will learn about network access controllers in “Endpoint Integrity” on page 1-36.

Examples of RADIUS Servers. ProCurve solutions have been verified with several RADIUS servers:

■ Microsoft IAS (Windows Server 2000/2003)—Microsoft’s version of

a RADIUS server, Internet Authentication Server (IAS), is bundled with Windows 2000 Server and Windows Server 2003. In most cases it makes sense for an organization that runs a Windows domain to use IAS as the RADIUS platform. For organizations that rely heavily on Active Directory, the tight integration between IAS and Active Directory facilitates deployment and administration. Note, however, that the tight linkage between IAS and Active Directory can be a drawback, especially when using MACAuth, an access control method described later in this chapter.

■ Juniper Steel-Belted Radius—Steel-Belted Radius server provides

additional functions and flexibility beyond that provided by IAS. LDAP support allows the server to communicate with Active Directory content. But because the RADIUS server is not as closely integrated into Active Directory, it can use other credential stores instead, such as UNIX Network Information Services (NIS), token-based servers (RSA, CRYPTOCard), SQL database, or even another RADIUS server. In addition, SteelBelted Radius is not limited to running on Windows platforms: it can also run on NetWare or Solaris, or as a hardware appliance.

■ ProCurve NAC 800—The NAC 800 can act as your network’s RADIUS

server. It supports RADIUS as a stand-alone access control solution, or it can integrate its RADIUS capabilities with endpoint integrity checking.

■ Built-in server on a PEP—ProCurve Networking offers several wireless

devices that feature their own internal RADIUS server. Since authentication (particularly 802.1X) is key to security in the wireless world, these built-in servers are ideal for small-to-medium businesses that want to add wireless networking without compromising security.

The following ProCurve edge devices feature built-in RADIUS servers:

• Wireless Edge Services Module (xl and zl)

•AP 530

1-13

Access Control Concepts

Network Access Control Technologies

Policy Repository

The policy repository stores policies that the PDP draws on to make decisions. Stored policies include access criteria for users such as username and password, valid MAC address, IP address, location, and time of day. Usually network policies are stored as sub-elements within a directory that contains other policy-related information such as user credentials (username/password combinations) and device or network information. A PDP might also store some of these policies itself and refer to a directory server for user credentials.

For a PDP to perform its AAA functions, it needs access to the policy repository. The policy database may be either local (on the same system as the PDP server) or remote (on a different system on the network).

Local Policy Repository. A local policy database can be as simple as a flat file under control of the PDP server, or it can be a more complex local database such as a SQL database or a UNIX password file.

Remote Policy Repository. Remote policy databases are generally superior to local databases because they tend to scale better and offer a central control point for management. They do, however, require additional upfront effort to deploy. That objection may be academic if your organization already has a distributed policy infrastructure in place.

1-14

The most common form of a distributed policy database is a directory service. A server that implements directory services identifies all network resources, such as users, servers, peripheral devices, and the policies for dealing with them. In a Microsoft Windows domain, the user and policy database is Active Directory. Other directory services include Novell eDirectory and OpenLDAP.

A PDP such as a RADIUS server can use a directory service in conjunction with a local policy repository. For example, the RADIUS server might query the directory service to check user credentials. After authenticating the user, the RADIUS server must decide for which rights that user is authorized under the current conditions. It checks policies that, while they might originate from the remote repository, might be stored locally instead.

Network Access Control Technologies

Access Control Concepts

Network Access Control Process

Figure 1-1 shows the typical components of the network access control architecture.

Figure 1-1. Network Access Control Architecture

You will learn more about how the four components interact in discussions of specific network access control technologies. For now, you should simply be familiar with the vocabulary and the most basic process:

1. An endpoint attempts to gain access to the network.

2. The PEP requests and receives the user’s credentials from a utility on the endpoint.

3. With the credentials, the PEP composes an access request, which it forwards to the PDP.

4. The PDP seeks information about the user from the policy repository. On the basis of this information, it decides whether or not to authenticate the user.

With IDM, the PDP can factor additional criteria (such as location, time, and user group) into the decision.

1-15

Access Control Concepts

Network Access Control Technologies

5. If it authenticates the user, the PDP draws on additional policy information from the repository to authorize the user for particular resources. It then generates device-specific configuration instructions (such as the VLAN for the port) for the PEP.

6. The PEP configures its ports according to the instructions from the PDP. The user’s endpoint receives the appropriate level of access.

Authentication-Based Network Access Control Methods

This section describes the three most common methods for enforcing network access control at the edge. Built on the architecture described in the previous section, these methods hinge an endpoint’s level of network access on a PDP’s decisions. These decisions are, in turn, based primarily on the validity of credentials submitted by the user but perhaps on other policies as well.

The three methods are:

■ MAC authentication (MAC-Auth)—allows access based on the end-

point’s MAC address

■ Web authentication (Web-Auth)—allows access based on credentials

submitted in a Web page

■ 802.1X—allows access based on credentials exchanged via Extensible

Authentication Protocol (EAP)

1-16

802.1X is the most secure option. However, for reasons explained in the rest

of this guide, another method might meet your requirements. You can also implement different methods in different areas of your network or begin by enforcing a less secure method and eventually migrate to 802.1X. Chapter 3: “Designing Access Controls” will give you more guidelines for your design.

MAC-Auth

MAC-Auth identifies an endpoint by its MAC address, a unique 48-bit hardware address assigned to the network interface card (NIC) by the manufacturer at production. MAC-Auth identifies hardware, not users—one reason that this method is sometimes downplayed in contemporary security solutions.

MAC-Auth does not require any special capabilities on the endpoint nor any user interaction. The PEP is entirely responsible for generating authentication requests. The PDP makes an access control decision based on the endpoint’s MAC address, and the PEP enforces the decision by allowing or blocking traffic from the address accordingly.

+ 308 hidden pages