ProCurve Network Access Control for HP Thin Clients and CCI Introduction......................................................................................................................................... 2 The Components.................................................................................................................................. 2 HP PC Client Computing Solutions .....................................................................................................
Introduction This white paper provides a reference implementation of layered security policy enforcement created by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with the HP Procurve Network Admission Control (NAC) solution. The combination of HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing solution that can be applied to any network.
Network Access Control Advancements in computer networking have significantly changed the way people and organizations communicate and access information. Networks have become critical resources in many organizations, providing real-time communications and access, through both the Internet and enterprise intranets, to unprecedented levels of information.
ProCurve NAC 800 Solution The ProCurve NAC 800 is designed with multiple enforcement modes to accommodate the needs of enterprise networks. All enforcement methods use pre-authorization checks for security policy in order to protect the network from harmful systems. The following enforcement modes can be used together to provide complete access control coverage across the network: • 802.1X Enforcement: Utilizing the 802.
The Implementation NAC Installation This section covers use of a ProCurve NAC 800 appliance to ensure that thin clients and blade PCs meet configuration policy prior to receiving a valid IP address on the production network. We use the NAC800 switch in DHCP mode and set up a quarantine DHCP area via the Web-based administration console. Connecting to the Network In order to install the ProCurve NAC 800 into the network, do the following: 1.
1. Using the domain controller, go to https://172.16.1.101 in Internet Explorer to view the Web console. 2. Click OK when the Security Alert appears. 3. Accept the license agreement.
4. Enter management server settings: o Root Password: procurve [Type a root configuration “password.”] o Re-enter Password: procurve [Type the root configuration “password” again.] o Region: Enter a region for your location. o Time Zone: Enter a time zone for your location. o NTP Servers: Type 172.16.1.250. o Host Name: Type nac800.ccidomain.net. o DNS IP Address: Type 172.16.1.250. 5.
7. Click System Configuration. 8. Click Quarantining. 9. For the purposes of this paper, we are demonstrating DHCP quarantining methods. Select the DHCP button. 10. Select Add Quarantine Area. 11. Type the following information in the appropriate fields: o Quarantined Subnet: 10.88.10.0/24 o DHCP IP Range: 10.88.10.100 to 10.88.10.150 o Gateway: 10.88.10.1 o Domain: ccidomain.net o Non-quarantined subnets: 172.16.1.0/24 o DHCP Quarantine Option: Router Access Control Lists (ACLs) 12.
Configuring Policy Settings As we are focusing on the integration of NAC into a CCI and thin client network, we are exploring only the network policy enforcement settings that are pertinent to thin clients and blade PCs. This is by no means all the features of the ProCurve NAC Solution. Likewise, in a production environment, you may wish to validate many more Windows configuration components than are discussed in this reference white paper.
Thin Client Policy First, since we are just evaluating the NAC appliance, we must ensure that the appliance does not quarantine machines from the network, but merely warns that it would have been quarantined. 1. From the home screen of the NAC Web console (https://172.16.1.102), select System Configuration. 2. Click Cluster #1. 3. Set the Access Mode to be Allow all. 4. Select OK. Now, we can set up our policy that pertains specifically to thin clients.
5. On the Domain Controller, open Internet Explorer and go to https://172.16.1.102/ (the Web console). 6. Log on to the Web console to access the home screen. 7. From the navigation menu on the left, select NAC policies. 8. Select Add a NAC policy.
9. Under Basic Settings, in the Policy Name text box, enter Thin Client Policy. 10. Set the NAC Policy Group to Default. 11. Set the Operation Mode to Enabled. 12. Set the Retest Frequency to retest every 2 minutes. 13. Select Never quarantine inactive endpoints. 14. Select Tests from the left navigation bar. On the Tests page, you can select the tests for this particular policy. 15. Enable and select the Services Required test. This test requires devices to have the specified services running.
16. In the Test Properties text box, enter EWFStatusSvc, which is the name of a service that is related to the thin client write filter. 17. Under Test failure actions check Quarantine Access and select Immediately. 18. Locate the Personal Firewalls test, and enable and select it. This test enforces a required firewall. 19. Under Test Properties, clear all check boxes except for Sygate Personal Firewall, which is the standard firewall installed on HP thin clients. 20.
2. Click Cluster #1. 3. Set the Access Mode to be Allow all. 4. Select OK. Now, we can set up our policy that pertains specifically to blade PCs. 5. On the Domain Controller, open the Web console at https://172.16.1.102/ in your Web browser. 6. Login to the Web console to access the home screen.
7. From the navigation menu on the left, select NAC policies. 8. Select Add a NAC policy. 9. Under Basic Settings, in the Policy Name text box, enter Blade Policy. 10. Set the NAC Policy Group to Default. 11. Set the Operation Mode to Enabled. 12. Set the Retest Frequency to retest every 2 minutes. 13. Select Never quarantine inactive endpoints.
14. Select Tests from the left navigation bar. The Tests page is where tests are put in place for this particular policy. 15. Find the Services Required test, enable and select it. This test ensures that any device under this policy has the specified services running. 16. In the Test Properties text box, enter daesvc, which is the name of a service that is related to the SAM server. 17. Under Test failure actions check Quarantine Access and select Immediately. 18.
19. Under Test Properties, clear all checkboxes except for Windows Firewall. 20. Under Test failure actions, check Quarantine Access and select Immediately. 21. Select OK at the top of the window. End-Point Configuration Thin Client Firewall Exceptions The HP t5720 XPe-based thin client is configured by default with the Sygate firewall actively blocking all ports except those required for basic Web browsing and RDP connections.
8. On the Hosts tab, select IP Addresses, and then type the IP address of the NAC800 (172.16.1.101) in the field. 9. On the Ports and Protocols tab in the Protocol list, select UDP. 10. Type 137, 1500 in the Local field. 11. In the Traffic Direction list, select Both. 12. Click OK. 13. In the Advanced Rules window, click Add. 14. In the Advanced Rule Settings window on the General tab, type Allow NAC TCP In in the Rule Description field.
15. Select Allow this traffic. 16. In the Hosts tab, select IP Addresses and then type the IP address of the NAC800 (172.16.1.101) in the field.
17. In the Ports and Protocols, select TCP in the Protocol field. 18. Type 139, 1500 in the Local field. 19. Select Incoming in the Traffic Direction field. 20. Click OK. 21. In the Advanced Rules window, click Add. 22. In the Advanced Rule Settings window, on the General tab, type Allow NAC TCP Out in the Rule Description field. 23. Select Allow this traffic.
24. On the Hosts tab, select IP Addresses and type the IP address of the NAC800 (172.16.1.101) in the field. 25. On the Ports and Protocols tab, select TCP in the Protocol field. 26. Type 89 in the Remote field, 27. Select Outgoing in the Traffic Direction field.
28. Click OK.
Policy Enforcement Now that the ProCurve NAC appliance is fully integrated into the network and configured with policy tests, we can now demonstrate policy enforcement in action.
4. Click Begin Testing to start the policy test. 5. Upon your first connection to the NAC 800 appliance in transient agent-based mode (as described in Policy Enforcement), you are prompted to accept an ActiveX control. Depending on your version of Web client (Internet Explorer 6.0 is used in this reference document) and security setting in that Web browser, you may have to right-click on the notification bar to accept installation of the ActiveX control, as shown here.
Once the ActiveX control is loaded, the testing can begin for the thin client. At this point, the thin client should be within policy and should therefore be allowed to access the network. 6. Confirm this by opening a command prompt and typing ipconfig. The result should show that the thin client IP address is 172.16.1.x. 7. Close the browser. 8. Right-click My Computer.
9. Click Manage. 10. Click Services and Applications. 11. Click Services. 12. Disable EWF Status Service by right-clicking on the entry and selecting Stop. 13. Retest the machine.
Now, since the required service is off, the thin client is out of policy, so it is placed in the quarantine subnet. 14. Confirm this by opening a command prompt and typing ipconfig. The result should show that the thin client IP address is now 10.88.10.x. 15. Restart EWF Status Service. 16. Retest the thin client to verify that the thin client meets policy again and is admitted to the network. 17. Confirm this by opening a command prompt and typing ipconfig.
3. Go to https://172.16.1.102:89 on your browser. 4. Upon your first connection to the NAC 800 appliance in transient agent- based mode (as described in Policy Enforcement), you are prompted to accept an ActiveX control. Depending on your version of Web client (Internet Explorer 6.0, for this reference document) and security setting in that Web browser, you may have to right-click on the notification bar to accept installation of the ActiveX control as shown here.
5. Start the policy test by clicking Begin Testing. At this point, the blade PC should be in policy and therefore should be allowed to access the network. 6. Confirm this by opening a command line up and typing ipconfig. It should show that the thin client IP address is 172.16.1.x. 7. Close the browser.
8. Right-click My Computer. 9. Select Manage. 10. Select Services and Applications. 11. Select Services. 12. Next, right-click on HP SAM registration Service and select Properties. Click Stop to end this DAESVC service.
13. Retest the machine. Now, since the required service is off, the blade PC is out of policy, so it is placed in the quarantine subnet. 14. Confirm this by running ipconfig on the command line to ensure the thin client IP address is 10.88.10.x. 15. Restart the DAESVC Service. 16. Retest the machine. 17. Repeat steps 5 and 6 to verify that the blade PC meets policy again and is admitted to the network.
For more information For more information about the HP thin clients or any other HP product, contact your HP Authorized Reseller or visit these online locations to learn more about HP products, services, and support: HP Links: • HP desktop, blade PC or thin client information: www.hp.com/desktops • HP Procurve NAC 800 Appliance: http://www.hp.com/rnd/support/manuals/NAC800.htm • HP workstations information: www.hp.com/workstations • HP security: www.hp.
