ProCurve Solutions
Access Control Security
Design Guide 2.1
www.procurve.com
ProCurve Access Control Security
Design Guide
April 2008
2.1.XX
© Copyright 2008 Hewlett-Packard Development Company, L.P.
The information contained herein is subject to change without
notice. All Rights Reserved.
This document contains proprietary information, which is
protected by copyright. No part of this document may be
photocopied, re produced, or translated into another language
without the prior written consent of Hewlett-Packard.
Applicable ProCurve Products
Network Access Controller 800 (J9065A)
ProCurve Manager Plus (J9056A)
Identity Driven Manager (J9012A)
IPsec VPN Base Modules (J9026A, J8471A)
Secure Router 7102dl (J8752A)
Secure Router 7203dl (J8753A)
Switch 5406zl (J8697A)
Switch 5406zl-48G (J8699A)
Switch 5412zl (J8698A)
Switch 5412zl-96G (J8700A)
Switch 5304xl (J4850A)
Switch 5304xl-32G (J8166A)
Switch 5308xl (J4819A)
Switch 5308xl-48G (J8167A)
Switch 5348xl (J4849A)
Switch 5372xl (J4848B)
Switch 8212zl (J8715A)
Wireless Edge Services xl Module (J9001A)
Redundant Wireless Services xl Module (J9003A)
Wireless Edge Services zl Module (J9051A)
Redundant Wireless Services zl Module (J9052A)
AP 530 (J8986A)
AP 420 na/ww (J8130B, J8131B)
RP 210 (J9004A)
RP 220 (J9005A)
RP 230 (J9006A)
Trademark Credits
ActiveX, Microsoft, Windows, Windows NT, and Windows
XP are U.S. registered trademarks of Microsoft Corporation.
Apple, Mac OS, and QuickTime are registered trademarks of
Apple, Inc.
CRYPTOCard is a registered trademark of Cryptocard
Corporation.
eDirectory, NetWare, Novell, and SUSE are registered
trademarks of Novell, Inc.
Juniper Networks is a registered trademark of Juniper
Networks, Inc.
Linux is a registered trademark of Linus Torvalds.
OpenLDAP is a registered trademark of the OpenLDAP
Foundation.
Red Hat is a registered trademark of Red Hat, Inc.
Solaris is a registered trademark of Sun Microsystems, Inc.
Steel-Belted Radius is a registered trademark of Funk
Software, Inc.
Disclaimer
HEWLETT-PACKARD COMPANY MAKES NO WARRANTY
OF ANY KIND WITH REGARD TO THIS MATERIAL,
INCLUDING, BUT NOT LIMITED TO, THE IMPLIED
WARRANTIES OF MERCHANTABILITY AND FITNESS
FOR A PARTICULAR PURPOSE. Hewlett-Packard shall not
be liable for errors contained herein or for incidental or
consequential damages in connection with the furnishing,
performance, or use of this material.
The only warranties for HP products and services are set
forth in the express warranty statements accompanying
such products and services. Nothing herein should be
construed as constituting an additional warranty. HP shall
not be liable for technical or editorial errors or omissions
contained herein.
Hewlett-Packard assumes no responsibility for the use or
reliability of its software on equipment that is not furnished
by Hewlett-Packard.
War rant y
See the Customer Support/Warranty booklet included with
the related products.
A copy of the specific warranty terms applicable to your
Hewlett-Packard products and replacement parts can be
obtained from your HP Sales and Service Office or
authorized dealer.
Open Source Software Acknowledgment
Statement
This software incorporates open source components that
are governed by the GNU General Public License (GPL),
version 2. In accordance with this license, ProCurve
Networking will make available a complete, machinereadable copy of the source code components covered by
the GNU GPL upon receipt of a written request. Send a
request to:
Hewlett-Packard Company, L.P.
Wireless Edge Services xl Module Program
GNU GPL Source Code
Attn: ProCurve Networking Support
MS: 5550
Roseville, CA 95747 USA
Hewlett-Packard Company
8000 Foothills Boulevard
Roseville, California 95747
http://www.procurve.com/
Contents
1 Access Control Concepts
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1
Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4
Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-8
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Network Access Control Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Policy Enforcement Point (PEP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Policy Decision Point (PDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-12
Policy Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Network Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Authentication-Based Network Access Control Methods . . . . . . . . . 1-16
MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-16
Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-19
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-21
Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
MS-CHAPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-25
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-28
i
Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-31
Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
Access Control Rights—Dynamic Settings . . . . . . . . . . . . . . . . . . . . . 1-33
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-33
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Endpoint Integrity Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-36
Pre-connect and Post-connect Testing . . . . . . . . . . . . . . . . . . . . . 1-37
Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-38
Endpoint Requirements for Integrity Checking . . . . . . . . . . . . . . 1-40
Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
Quarantine Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-42
ProCurve NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
NAC 800 as an Endpoint Integrity Only Solution . . . . . . . . . . . . . . . . 1-45
802.1X Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-46
DHCP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-48
Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
NAC 800 as a RADIUS-Only Solution . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52
NAC 800 as Both a RADIUS Server and an Endpoint
Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-53
ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-58
2 Customer Needs Assessment
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3
Types of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5
Temporary Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Guests . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6
Network Skills . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-7
Recording Information about Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8
ii
Types of Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Wired Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Wireless Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9
Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10
Recording the Types of Connections Available to Users . . . . . . . . . . 2-10
Access Control Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-11
Determine Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-15
Regulations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-16
Regulatory Compliance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-18
Quantify Your Company’s Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . 2-18
Vulnerability to Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Attack Vectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
External Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Internal Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-19
Types of Attacks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-20
Malware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-21
Viruses and Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-22
Evaluate the Existing Network Environment . . . . . . . . . . . . . . . . . . 2-25
Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Edge Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25
Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Workstations and Laptops . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28
Other Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-30
RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Directory Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-31
Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Subnets and VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Routing Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
DCHP Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-32
Network Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-33
iii
Determine Your Endpoint Integrity Requirements . . . . . . . . . . . . . 2-34
Browser Security Policy—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34
Select Security Settings for Your Company . . . . . . . . . . . . . . . . . 2-36
Operating System—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Security Settings—OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Security Settings—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37
Software—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-38
The Human Factor . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
Control over Network Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-39
IT Department Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
Users’ Cooperation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-40
3 Designing Access Controls
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1
Comprehensive Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5
The Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6
The Process of Designing Access Control Security . . . . . . . . . . . . . . . 3-8
Example Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8
Choose the Access Control Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-13
Network Access Zones: Security . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-15
Wired Zone Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-16
Wireless Zone Security Concerns . . . . . . . . . . . . . . . . . . . . . . . . . 3-17
Vulnerability and Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-21
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
User Type and Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-22
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-23
Administrative Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-24
Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-25
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-26
Administrative Control over Endpoints . . . . . . . . . . . . . . . . . . . . . . . . 3-27
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-28
iv
Network Infrastructure Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30
Network Infrastructure Devices as 802.1X Supplicants . . . . . . . 3-31
Bringing All of the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-34
Make Decisions about Remote Access (VPN) . . . . . . . . . . . . . . . . . . . 3-36
Decide Whether to Grant Remote Access . . . . . . . . . . . . . . . . . . . . . . 3-37
Select VPN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38
Vulnerability and Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-41
User Type and Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-42
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-43
Administrative Workload and IT Budget . . . . . . . . . . . . . . . . . . . . . . . 3-44
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-44
Endpoint Capabilities and Administrative Control
over Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-45
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-46
Existing Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-47
Bringing All Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-48
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-49
Choose the Endpoint Integrity Deployment Method . . . . . . . . . . . . 3-51
Access Control Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-51
MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-52
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-53
Vulnerability to Risks and Risk Tolerance . . . . . . . . . . . . . . . . . . . . . . 3-53
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Existing Network Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-55
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Connection Type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-56
Bringing the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57
Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-57
v
Choose Endpoint Integrity Testing Methods . . . . . . . . . . . . . . . . . . . 3-59
Requirements for Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60
NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-60
Advantages and Disadvantages of NAC Agent Testing . . . . . . . . 3-62
ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
Requirements for ActiveX Testing . . . . . . . . . . . . . . . . . . . . . . . . . 3-62
Advantages and Disadvantages of ActiveX Testing . . . . . . . . . . . 3-63
Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63
Requirements for Agentless Testing . . . . . . . . . . . . . . . . . . . . . . . 3-64
Advantages and Disadvantages of Agentless Testing . . . . . . . . . 3-64
Deciding Which Testing Methods to Enable . . . . . . . . . . . . . . . . . . . . 3-64
Transparent Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-65
Testing with User Interaction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-67
Factors to Consider for Testing Methods . . . . . . . . . . . . . . . . . . . . . . 3-69
Administrative Control over Endpoints . . . . . . . . . . . . . . . . . . . . 3-69
Post-Connect Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-71
User Sophistication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-72
Administrative Workload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-74
Network Overhead . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-75
Bringing All of the Factors Together . . . . . . . . . . . . . . . . . . . . . . . 3-76
Choose RADIUS Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-78
RADIUS Servers in a Network Without Endpoint Integrity . . . . . . . . 3-79
Choose Which Devices Will Play the Role of PDP . . . . . . . . . . . . 3-79
Choose an Access Control Architecture . . . . . . . . . . . . . . . . . . . . 3-84
Determine the Number of RADIUS Servers . . . . . . . . . . . . . . . . . 3-89
Choose Your RADIUS Servers and Finalize the Plan . . . . . . . . . 3-90
RADIUS Servers in a Network With Endpoint Integrity (802.1X
Quarantining) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93
IAS as the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-93
NAC 800 as the RADIUS Server . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-94
Add ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
IDM Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Determine If You Need IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-98
Design Parameters for a Network with IDM . . . . . . . . . . . . . . . . . . . . 3-99
Add Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100
Create Access Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-100
vi
Select an EAP Method for 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101
Finalize Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106
User Groups and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106
Access Group Policies with IDM . . . . . . . . . . . . . . . . . . . . . . . . . 3-107
Access Policies without IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117
Create the NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-120
Design NAC Policy Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-120
Design NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-121
Lay Out the Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-129
Core Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-129
Access Zones for Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-131
Public Wired Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-131
Public Wireless Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-134
Private Wired Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-140
Private Wireless Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-142
Remote Zone . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-143
Combining Access Control Zone Designs . . . . . . . . . . . . . . . . . . . . . 3-146
Adjacent Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-146
Overlapping Zones . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-146
Designing Adjacent and Overlapping Zones . . . . . . . . . . . . . . . . 3-147
Integrating all Parts of the Network Design . . . . . . . . . . . . . . . . . . 3-148
Adding Access Control to an Existing Network . . . . . . . . . . . . . . . . 3-148
Migrating from One Solution to Another . . . . . . . . . . . . . . . . . . . . . . 3-149
4 Other Resources
Services and Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
ProCurve Elite Partners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
ProCurve Network Access Controller 800 Implementation Start-up
Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1
Implementation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-2
A Appendix A: Glossary
Index
vii
Addendum to the ProCurve Access Control Security
Design Guide
Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3
ProCurve Access Control Solution 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . A-4
Enhancements to the ProCurve Access Control Solution 2.1 . . . . . . A-5
ProCurve NAC 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
SMB Signing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Deep Check Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6
Post-Connect NAC Testing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
Integration with Microsoft SMS . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
Support for RDAC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-7
DHCP Plug-in Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-8
Identity Driven Manager 2.3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-9
Microsoft NAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11
NAP Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-11
NAP Client Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14
NAP Enforcement Clients (ECs) . . . . . . . . . . . . . . . . . . . . . . . . . A-14
System Health Agents (SHAs) . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14
NAP Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-14
NAP Server Architecture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-15
NAP Enforcement Point . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-16
NPS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-16
Health Requirement Servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17
Network Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17
IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17
DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-20
VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21
802.1X Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21
Remediation and Health Requirement Servers . . . . . . . . . . . . . A-23
viii
Updating the Access Control Design Process . . . . . . . . . . . . . . . . . . A-24
Choose the Endpoint Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . A-25
Existing Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . A-25
Vulnerability to Risks and Risk Tolerance . . . . . . . . . . . . . . . . . A-26
Management Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-27
Interoperability Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . A-28
Bringing the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . . A-29
Choose the Endpoint Integrity Deployment Method . . . . . . . . . . . . A-30
ix
x
Access Control Concepts
Contents
Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2
Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3
Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5
Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6
Authorization . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-7
Accounting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-9
Network Access Control Architecture . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Endpoint . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Policy Enforcement Point (PEP) . . . . . . . . . . . . . . . . . . . . . . . . . . 1-10
Policy Decision Point (PDP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-11
Policy Repository . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-13
Network Access Control Process . . . . . . . . . . . . . . . . . . . . . . . . . 1-14
Authentication-Based Network Access Control Methods . . . . . . . . . 1-15
MAC-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-15
Web-Auth . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-18
802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-20
Authentication Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
Authentication Protocols . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-22
PAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
CHAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-23
MS-CHAPv2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
EAP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-24
RADIUS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-27
1
1-1
Access Control Concepts
Contents
Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29
Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-30
Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30
WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31
Access Control Rights—Dynamic Settings . . . . . . . . . . . . . . . . . . . . . 1-32
VLANs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-32
ACLs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-34
Endpoint Integrity . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Endpoint Integrity Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-35
Pre-connect and Post-connect Testing . . . . . . . . . . . . . . . . . . . . . 1-36
Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-37
Endpoint Requirements for Integrity Checking . . . . . . . . . . . . . . 1-39
Endpoint Integrity Posture . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
Quarantine Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-41
ProCurve NAC 800 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-44
NAC 800 as an Endpoint Integrity Only Solution . . . . . . . . . . . . . . . . 1-44
802.1X Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-45
DHCP Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-47
Inline Deployment Method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-50
NAC 800 as a RADIUS-Only Solution . . . . . . . . . . . . . . . . . . . . . . . . . . 1-51
NAC 800 as Both a RADIUS Server and an Endpoint
Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-52
1-2
ProCurve IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-57
Access Control Concepts
Introduction to Access Control
Introduction to Access Control
Over the last several decades, network connectivity has evolved into a
necessary component of nearly every business activity. Users rely on the
network for:
■ Data—the information stored in the computing environment
■ Applications—the means of manipulating that data
It is a rare user who accesses only the data and applications stored on an
isolated computer system. Instead, a user connects to a network, which allows
his or her endpoint—the device used to connect to the network—to access
data and applications stored on many systems.
Resources stored and delivered over a network are valuable; they might
include medical records, payroll information, customers’ financial records,
corporate strategy, and military operation plans. And because the resources
are valuable, some people may attempt to hijack them for their own purposes.
To protect resources from misuse (whether malicious or not), you must
enforce access controls. Many users associate the words access control with
a username and password, submitted to gain access to a particular piece of
data or application. However, an access control is any mechanism for dictating
which users and devices can access particular resources.
You can control users’ access to resources in three ways:
■ Data access control (enforced on particular data storage devices)
■ Application access control (enforced on particular services)
■ Network access control (enforced at the network edge, where users
connect)
Access control is most effective at protecting resources when the three types
work together. But because the network is the means of distributing all data
and applications to users, network access control is particularly important as
a comprehensive solution. Network access control provides the following
functions:
■ Blocks access from unauthorized users at each network entry
point—Securing individual resources is not enough. Even when an
attacker cannot reach core resources, he or she can discover much about
your network and potentially implement attacks simply by connecting to
it. A solution for blocking and controlling users at the edge, before they
connect to the network, adds another layer of security to that implemented on individual devices.
1-3
Access Control Concepts
Introduction to Access Control
■ Eliminates frustrations created by piecemeal solutions—A well-
This solution design guide focuses on network access control as the first front
in securing your organization’s resources.
Network Access Control
Network access control is the process of controlling who has access to which
network resources under what conditions (the time, location, and means of
access).
An access control security policy addresses these questions:
■ Who should access the network?
■ What data, services, and other resources on the network should these
■ What conditions should alter the level of access granted to a
designed, centrally administered network access control solution minimizes the number of passwords that users must enter throughout the day.
Ideally, the solution begins to control the user’s access as soon as he or
she connects to the network and continues to do so without further user
interaction.
users access?
particular user?
1-4
It is easy to think of network access control in terms of the first question only
and to answer that question in a simplistic fashion: “I want to allow the good
guys in and keep the bad guys out.” But, of course, users do not split neatly
into “good guys” and “bad guys,” and attacks do not always originate from the
outside.
You can more usefully think of access control as granting many different types
of users—employees, both temporary and permanent; guests; and customers—the level of access that is appropriate to their needs.
For example, it is appropriate for doctors and nurses in a hospital to access
patient records; they need those records to do their jobs. Receptionists at the
front desk, on the other hand, do not require such access, so the network
should not give it to them. However, the receptionists should, quite appropriately, have access to other network resources (such as appointment databases
and scheduling software). And the only resource appropriate for patients and
visitors might be the Internet and the hospital’s public Web site.
Access Control Concepts
Introduction to Access Control
The third question raises another important issue: factors beyond a user’s
identity can affect the appropriate level of access. For example, a daytime
manufacturing worker might require network access during normal working
hours from computers near his assembly station, but not at night or from
computers in the marketing department.
The means by which the user connects to the network can also be relevant.
For example, wireless connections are sometimes more vulnerable to eavesdropping than wired, so a user that is normally allowed to access sensitive
data might be prohibited from viewing that same data over a wireless connection. And because a t rusted, well-intentioned user can introduce m alware from
within the network by connecting with an improperly secured endpoint, a
complete access control solution should examine the integrity of the user’s
device in addition to the user’s identity.
Chapter 3: “Designing Access Controls” will discuss these considerations in
more depth, guiding you through formulating your own security policy. The
remainder of this chapter focuses on the concepts and technologies that
underlie network access control.
1-5
Access Control Concepts
Network Access Control Technologies
Network Access Control Technologies
This solution design guide focuses on two general types of access control:
■ Authentication, authorization, and accounting (AAA)—controls
(and tracks) which users access which resources on the network
■ Endpoint integrity—controls which endpoints are allowed on the net-
work based on their compliance with policies for endpoint security
settings
AAA provides the traditional framework for controlling access to the network,
whereas endpoint integrity adds the ability to protect the network from
potentially compromised endpoints.
The remainder of this chapter covers the protocols and technologies that
underlie AAA and endpoint integrity solutions. If you already have a solid
understanding of these concepts, you can proceed immediately to Chapter 2:
“Customer Needs Assessment.” But remember: designing an access control
solution is much less frustrating when you know what choices are available
and what those choices entail.
1-6
AAA
Developed by the Internet Engineering Task Force (IETF), AAA dictates how
network devices provide:
■ Authentication—determining if users are who they claim to be
■ Authorization—deciding which data and applications users can access
and applying controls to enforce those decisions
■ Accounting—tracking which resources users actually access
AAA allows you to centralize these functions and standardize policies throughout a network. A AAA server makes decisions that edge devices—in AAA,
called network access servers (NASs)—enforce.
The NASs and AAA servers communicate using a AAA protocol, of which the
two most common are:
■ Remote Access Dial-In User Service (RADIUS)
■ Terminal Access Controller Access Control System Plus (TACACS+)
This guide focuses on RADIUS because it is compatible with most other access
control mechanisms.
Network Access Control Technologies
Access Control Concepts
Authentication
Authentication is the process by which a device determines the identity of a
user connecting to a network or attempting to access a resource.
Authentication Factors. A human can identify another human in many
different ways: by a name, a face, an ID badge, or knowledge of a certain piece
of information. And a human can rely on his or her judgment to inform the
identification. In the networking world, authentication boils down to a user
submitting certain information that an authentication server uniquely associates with that user.
However, the information submitted can take several forms, or factors:
■ Something the user knows—The user submits a password, which the
authentication server has already associated with the user’s name (also
submitted during authentication). Assuming that no one else knows the
password, the server equates a correct password with an authentic user.
Although relatively easy to deploy, this factor is also the least secure.
Users may write down their passwords where anyone can find them; they
may tell them to friends and family members; they may select easily
guessed passwords. In addition, passwords that are not changed often
enough can be cracked, and passwords submitted or stored in an insecure
manner can be hijacked.
Still, steps have been taken to address these issues. Databases often store
passwords in non-reversibly encrypted form; users may be required to
choose non-dictionary passwords and to change passwords frequently. In
addition, most authentication protocols require users to submit passwords in encrypted form. You need to consider these issues when you
select an authentication protocol because, implemented correctly, passwords are still often a good choice for credentials. (For more information,
see “Authentication Protocols” on page 1-23.)
■ Something the user has—The user owns a physical object, such as a
token card or smart card, that identifies him or her, usually by storing
credentials that cannot be compromised without destroying the device.
The stored credentials often take the form of a private key/digital certificate. The private key “signs” data to prove that the user, who is identified
in the associated digital certificate, is the source of the data.
Instead of being installed on a smart card, the private key/digital certificate can be stored directly on a user’s endpoint. In this case, owning the
endpoint (with installed certificate) is what proves the user’s identity.
1-7
Access Control Concepts
Network Access Control Technologies
Unfortunately, although forging these physical devices is difficult, the
devices can be lost or stolen. A user might also allow someone else to
access his or her endpoint—in fact, this might be a common practice in
your organization. Once an unauthorized user possesses the necessary
device, he or she can access the network easily.
■ Something the user is—The previous two factors associate individuals
with more or less arbitrary credentials. An increasingly important authentication factor, biometrics attempts to equate users and their credentials,
which are physical characteristics, including voice, face geometry, fingerprints, hand geometry, handwriting dynamics, iris pattern, and retinal
pattern.
In theory at least, a person’s physical characteristics are unique—and so
unalterable and irreproducible. However, to live up to theory, biometrics
require sophisticated, and often expensive, equipment. Privacy concerns
also cause biometrics to be, while the most secure factor, also the least
commonly used.
Each of these factors provides greater security when combined with another
for two-factor authentication. For example, a smartcard or certificate installed
on an endpoint becomes secure when combined with a password. Even if an
unauthorized user seizes control of the device, he or she cannot use it without
the correct password.
1-8
Authentication Protocols. An authentication protocol defines the procedure for submitting credentials to the authenticating device (typically, a
network server).
RADIUS authentication comes in three forms, each of which uses a protocol
developed for point-to-point connections:
■ Password Authentication Protocol (PAP)
■ Challenge Handshake Authentication Protocol (CHAP)
■ Extensible Authentication Protocol (EAP)
You’ll learn more about these protocols and their role in network access
control in “Authentication Protocols” on page 1-23.
Authorization
Authorization builds on authentication. Authorization determines which network resources an authenticated user is granted rights to access.
Network Access Control Technologies
Access Control Concepts
Note You can also configure the network to authorize unauthenticated users for
certain—typically, very limited—rights.
In addition to considering whether a user has authenticated successfully, a
AAA server assigns rights based on user identity and time and location of
access. In other words, authorization is the mechanism that customizes a
network for different types of users, providing each user with appropriate
network access, rather than blanket “all or none” access.
Therefore, authorization is a particularly important component of a network
access control solution. The authorization aspect of network access control
also removes some of the burden from data and application access control.
For example, you could set up “all or none” access to the network and then
control access to application servers separately on each server. But a better
solution often adds centralized network access control policies that grant
users rights to appropriate services when they first access the network,
preventing unauthorized traffic from ever reaching servers.
Authorization rights that are set up on AAA server are often called dynamic
or user-based settings because they are assigned to individual users automatically when they connect to the network.
Rights determine:
■ Which resources and services the user can and cannot access—Typically,
you enforce these rights with Virtual LAN (VLAN) assignments and access
control lists (ACLs).
Note ProCurve Identity Driven Manager (IDM) will help you set up your polices
more efficiently, as described in “ProCurve IDM” on page 1-58).
As much as possible, you place resources necessary for a particular group
of users in the same VLAN. ACLs, applied to routers or to edge devices,
permit only the appropriate user groups access to the VLAN in question.
For example, if the server with your payroll database were placed on
VLAN 7, you would restrict access to this VLAN: you would allow only
users in the Accounting group—thereby preventing unauthorized employees from browsing the company payroll.
You can also use rights (specifically, dynamic ACLs) to control which
types of services and applications users can access. TCP and UDP, two
Transport Layer protocols, assign various applications to specific ports.
For example, Web traffic uses TCP port 80 whereas File Transfer Protocol
(FTP) traffic uses TCP port 21. To limit a set of users such as guests to
browsing Web sites, simply restrict their traffic to TCP port 80.
1-9
Access Control Concepts
Network Access Control Technologies
■ Other settings for the connection such as rate limits and quality of service
(QoS) settings
These settings affect how a user accesses network resources, rather than
which resources a user accesses. For example, you can limit a user to 10
Mbps of bandwidth, or you can assign guest users’ traffic low priority.
Accounting
Accounting, the third AAA function, collects information from NASs about
users and their activities.
At a minimum, accounting logs users’ authentication requests, creating a
record of who has logged in to the network (initial request) and logged out
(final request). Just as important for network security, NASs log rejected
authentication requests, clueing you in to potential attempts to infiltrate the
network.
Accounting reports include information about access requests such as:
■ Username
■ Date and time
■ Transaction type
■ NAS ID
■ User location (for example, the NAS port ID)
■ Amount of data exchanged (reports on ongoing or terminated
connections)
1-10
Although tracking users as they log in and out of the network is important, it is
equally important to monitor what they actually do on the network. Many NASs
also send periodic reports on connected users, which update the accounting
server on the resources that the user has accessed during that period.
A security analyst (usually aided by a security solution) can analyze accounting logs to:
■ Establish a baseline for normal network activity, which can be used for
resource planning and for comparison with future network activity
■ Check for suspicious activity (for example, significant deviations from the
normal activity baseline or multiple rejected access requests)
■ Trigger preemptive action to address suspicious behavior (for example,
shutting down the source port generating rejected requests)
■ Create reports that demonstrate compliance with regulations such as the
Sarbanes-Oxley Act
Network Access Control Technologies
Access Control Concepts
Accounting also enables billing; the accounting logs are forwarded to a billing
server, and users are charged for the bandwidth and resources they have
consumed.
Network Access Control Architecture
Before turning to methods for implementing a network access control solution, let’s consider the roles network devices play. There are many access
control technologies; fortunately, the same basic architecture is used for all
of them.
Based on definitions in the Internet Engineering Task Force (IETF) standard
for policy-based management, this architecture comprises four logical elements:
■ Endpoint
■ Policy enforcement point (PEP)
■ Policy decision point (PDP)
■ Policy repository
(See Request for Comments [RFC] 3084 and 3198 at http://http://tools.ietf.org/
html/.)
Endpoint
The endpoint is the entity attempting to gain access to the network. Usually a
computer (workstation or laptop) or personal digital assistant (PDA), the
endpoint can also be a printer, scanner, or any device with a network interface
card (NIC).
Note Endpoints are sometimes called stations or clients. This guide will always use
the term endpoint to avoid confusion.
Policy Enforcement Point (PEP)
Acting as the gatekeeper to the network, the PEP enforces access control on
the endpoint, typically at the endpoint’s point of access. Thus, the PEP is often
a switch or wireless Access Point (AP) at the edge of the network. It can also
be a device such as the Wireless Edge Services Module, which controls several
coordinated (or lightweight) APs, which ProCurve refers to as radio ports
(RPs). In this case, the module is the logical point of access because the RPs
encapsulate and forward all traffic to it.
1-11
Access Control Concepts
Network Access Control Technologies
NASs, which you learned about earlier in the AAA section, are also PEPs. The
term NAS is typically used when discussing RADIUS. For consistency, however, this chapter will use the term PEP when discussing RADIUS.
The PEP has two roles:
■ Access request generator—Forces endpoints to provide basic informa-
tion about themselves (credentials) before accessing network resources.
The PEP uses this information to compose an access request on the
endpoint’s behalf.
■ Access decision enforcer—Enforces access decisions by opening or
blocking a port, assigning an endpoint to a particular VLAN, or applying
other dynamic settings.
Because the PEP is responsible for initiating and enforcing the access
control method, evaluating the PEP’s capabilities is often one of the first
steps you should take when designing a network access control solution.
This design guide focuses on the many capabilities offered by ProCurve
Networking PEPs, which include both wired switches and wireless APs,
as well as the Wireless Edge Services Module.
Policy Decision Point (PDP)
Simply put, the PDP makes access decisions. It has three roles:
■ Translator—Converts security policies into device-specific instructions
that PEPs can understand. The most basic instru ction is whether to enable
or disable a port, but these instructions can include settings such as the
VLAN for the port.
■ Resolver—Settles policy conflicts that arise as a result of divergent
request needs such as requests for a port to be assigned simultaneously
to two VLANs.
■ Information aggregator—Collects information from PEPs for manage-
ment and monitoring purposes.
The typical PDP is an authentication server, which might be a software
application installed on a computer, a stand-alone appliance, or even a server
built into a PEP such as the Wireless Edge Services Module. An endpoint
integrity solution, or network access controller, is also a PDP.
The PDPs discussed in this guide are:
■ RADIUS servers
■ Network access controllers
1-12
Network Access Control Technologies
Access Control Concepts
Identity-based management in the form of ProCurve IDM augments the standard PDP translator role. You will learn more about IDM in “ProCurve IDM”
on page 1-58. For now, simply know that IDM helps the PDP factor user group,
location, time, system, and—with the help of a network access controller—endpoint integrity into its decisions. Based on these inputs, IDM can
provide policy instructions to the PEP in the form of various dynamic settings.
The section below gives some examples of RADIUS servers. You will learn
about network access controllers in “Endpoint Integrity” on page 1-36.
Examples of RADIUS Servers. ProCurve solutions have been verified
with several RADIUS servers:
■ Microsoft IAS (Windows Server 2000/2003)—Microsoft’s version of
a RADIUS server, Internet Authentication Server (IAS), is bundled with
Windows 2000 Server and Windows Server 2003. In most cases it makes
sense for an organization that runs a Windows domain to use IAS as the
RADIUS platform. For organizations that rely heavily on Active Directory,
the tight integration between IAS and Active Directory facilitates deployment and administration. Note, however, that the tight linkage between
IAS and Active Directory can be a drawback, especially when using MACAuth, an access control method described later in this chapter.
■ Juniper Steel-Belted Radius—Steel-Belted Radius server provides
additional functions and flexibility beyond that provided by IAS. LDAP
support allows the server to communicate with Active Directory content.
But because the RADIUS server is not as closely integrated into Active
Directory, it can use other credential stores instead, such as UNIX Network Information Services (NIS), token-based servers (RSA, CRYPTOCard), SQL database, or even another RADIUS server. In addition, SteelBelted Radius is not limited to running on Windows platforms: it can also
run on NetWare or Solaris, or as a hardware appliance.
■ ProCurve NAC 800—The NAC 800 can act as your network’s RADIUS
server. It supports RADIUS as a stand-alone access control solution, or it
can integrate its RADIUS capabilities with endpoint integrity checking.
■ Built-in server on a PEP—ProCurve Networking offers several wireless
devices that feature their own internal RADIUS server. Since authentication (particularly 802.1X) is key to security in the wireless world, these
built-in servers are ideal for small-to-medium businesses that want to add
wireless networking without compromising security.
The following ProCurve edge devices feature built-in RADIUS servers:
• Wireless Edge Services Module (xl and zl)
•AP 530
1-13
Access Control Concepts
Network Access Control Technologies
Policy Repository
The policy repository stores policies that the PDP draws on to make decisions.
Stored policies include access criteria for users such as username and password, valid MAC address, IP address, location, and time of day. Usually
network policies are stored as sub-elements within a directory that contains
other policy-related information such as user credentials (username/password combinations) and device or network information. A PDP might also
store some of these policies itself and refer to a directory server for user
credentials.
For a PDP to perform its AAA functions, it needs access to the policy
repository. The policy database may be either local (on the same system as
the PDP server) or remote (on a different system on the network).
Local Policy Repository. A local policy database can be as simple as a flat
file under control of the PDP server, or it can be a more complex local database
such as a SQL database or a UNIX password file.
Remote Policy Repository. Remote policy databases are generally superior to local databases because they tend to scale better and offer a central
control point for management. They do, however, require additional upfront
effort to deploy. That objection may be academic if your organization already
has a distributed policy infrastructure in place.
1-14
The most common form of a distributed policy database is a directory service.
A server that implements directory services identifies all network resources,
such as users, servers, peripheral devices, and the policies for dealing with
them. In a Microsoft Windows domain, the user and policy database is Active
Directory. Other directory services include Novell eDirectory and OpenLDAP.
A PDP such as a RADIUS server can use a directory service in conjunction
with a local policy repository. For example, the RADIUS server might query
the directory service to check user credentials. After authenticating the user,
the RADIUS server must decide for which rights that user is authorized under
the current conditions. It checks policies that, while they might originate from
the remote repository, might be stored locally instead.
Network Access Control Technologies
Access Control Concepts
Network Access Control Process
Figure 1-1 shows the typical components of the network access control
architecture.
Figure 1-1. Network Access Control Architecture
You will learn more about how the four components interact in discussions
of specific network access control technologies. For now, you should simply
be familiar with the vocabulary and the most basic process:
1. An endpoint attempts to gain access to the network.
2. The PEP requests and receives the user’s credentials from a utility on the
endpoint.
3. With the credentials, the PEP composes an access request, which it
forwards to the PDP.
4. The PDP seeks information about the user from the policy repository.
On the basis of this information, it decides whether or not to authenticate
the user.
With IDM, the PDP can factor additional criteria (such as location, time,
and user group) into the decision.
1-15
Access Control Concepts
Network Access Control Technologies
5. If it authenticates the user, the PDP draws on additional policy information from the repository to authorize the user for particular resources. It
then generates device-specific configuration instructions (such as the
VLAN for the port) for the PEP.
6. The PEP configures its ports according to the instructions from the PDP.
The user’s endpoint receives the appropriate level of access.
Authentication-Based Network Access Control Methods
This section describes the three most common methods for enforcing network
access control at the edge. Built on the architecture described in the previous
section, these methods hinge an endpoint’s level of network access on a PDP’s
decisions. These decisions are, in turn, based primarily on the validity of
credentials submitted by the user but perhaps on other policies as well.
The three methods are:
■ MAC authentication (MAC-Auth)—allows access based on the end-
point’s MAC address
■ Web authentication (Web-Auth)—allows access based on credentials
submitted in a Web page
■ 802.1X—allows access based on credentials exchanged via Extensible
Authentication Protocol (EAP)
1-16
802.1X is the most secure option. However, for reasons explained in the rest
of this guide, another method might meet your requirements. You can also
implement different methods in different areas of your network or begin by
enforcing a less secure method and eventually migrate to 802.1X. Chapter 3:
“Designing Access Controls” will give you more guidelines for your design.
MAC-Auth
MAC-Auth identifies an endpoint by its MAC address, a unique 48-bit hardware
address assigned to the network interface card (NIC) by the manufacturer at
production. MAC-Auth identifies hardware, not users—one reason that this
method is sometimes downplayed in contemporary security solutions.
MAC-Auth does not require any special capabilities on the endpoint nor any
user interaction. The PEP is entirely responsible for generating authentication
requests. The PDP makes an access control decision based on the endpoint’s
MAC address, and the PEP enforces the decision by allowing or blocking
traffic from the address accordingly.