Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

Access Control Security

Design Guide 2.1

www.procurve.com

ProCurve Solutions

Summary of content (338 pages)

PAGE 1
Access Control Security Design Guide 2.1 ProCurve Solutions www.procurve.
PAGE 2
PAGE 3
02-Front.fm Page i Tuesday, April 1, 2008 10:32 AM ProCurve Access Control Security April 2008 Design Guide 2.1.
PAGE 4
02-Front.fm Page ii Tuesday, April 1, 2008 10:32 AM © Copyright 2008 Hewlett-Packard Development Company, L.P. The information contained herein is subject to change without notice. All Rights Reserved. This document contains proprietary information, which is protected by copyright. No part of this document may be photocopied, reproduced, or translated into another language without the prior written consent of Hewlett-Packard. Juniper Networks is a registered trademark of Juniper Networks, Inc.
PAGE 5
Contents 1 Access Control Concepts Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1 Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-4 Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . 1-6 AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-31 Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-31 WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Types of Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Wired Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Wireless Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-9 Remote Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-10 Recording the Types of Connections Available to Users . . . . . . . . . .
PAGE 8
Determine Your Endpoint Integrity Requirements . . . . . . . . . . . . . 2-34 Browser Security Policy—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-34 Select Security Settings for Your Company . . . . . . . . . . . . . . . . . 2-36 Operating System—Windows . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Security Settings—OS X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-37 Security Settings—Windows . . . . . . . . . . . . . . . . . . . .
PAGE 9
Network Infrastructure Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-29 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-30 Network Infrastructure Devices as 802.1X Supplicants . . . . . . . 3-31 Bringing All of the Factors Together . . . . . . . . . . . . . . . . . . . . . . . . . . 3-32 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 10
Choose Endpoint Integrity Testing Methods . . . . . . . . . . . . . . . . . . . Requirements for Testing Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . NAC EI Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Advantages and Disadvantages of NAC Agent Testing . . . . . . . . ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Requirements for ActiveX Testing . . . . . . . . . . . . . . . . . . .
PAGE 11
Select an EAP Method for 802.1X . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-101 Finalize Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106 User Groups and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106 Access Group Policies with IDM . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 Access Policies without IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117 Create the NAC Policies . . . . . .
PAGE 12
Addendum to the ProCurve Access Control Security Design Guide Contents . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1 Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 ProCurve Access Control Solution 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . A-4 Enhancements to the ProCurve Access Control Solution 2.1 . . . . . . A-5 ProCurve NAC 1.1 . . . . . . . . . . . . . . . . .
PAGE 13
Updating the Access Control Design Process . . . . . . . . . . . . . . . . . . A-24 Choose the Endpoint Integrity Solution . . . . . . . . . . . . . . . . . . . . . . . A-25 Existing Network Environment . . . . . . . . . . . . . . . . . . . . . . . . . . A-25 Vulnerability to Risks and Risk Tolerance . . . . . . . . . . . . . . . . . A-26 Management Resources . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-27 Interoperability Requirements . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
x
PAGE 15
1 Access Control Concepts Contents Introduction to Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2 Network Access Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-3 Network Access Control Technologies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 AAA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-5 Authentication . . . . . . . . . . . . . . . . . . . .
PAGE 16
Access Control Concepts Contents Wireless Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 802.11 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-29 Static Wired Equivalent Privacy (WEP) . . . . . . . . . . . . . . . . . . . . 1-30 Dynamic WEP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-30 WPA/WPA2 and 802.11i . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 17
Access Control Concepts Introduction to Access Control Introduction to Access Control Over the last several decades, network connectivity has evolved into a necessary component of nearly every business activity. Users rely on the network for: ■ Data—the information stored in the computing environment ■ Applications—the means of manipulating that data It is a rare user who accesses only the data and applications stored on an isolated computer system.
PAGE 18
Access Control Concepts Introduction to Access Control ■ Eliminates frustrations created by piecemeal solutions—A welldesigned, centrally administered network access control solution minimizes the number of passwords that users must enter throughout the day. Ideally, the solution begins to control the user’s access as soon as he or she connects to the network and continues to do so without further user interaction.
PAGE 19
Access Control Concepts Introduction to Access Control The third question raises another important issue: factors beyond a user’s identity can affect the appropriate level of access. For example, a daytime manufacturing worker might require network access during normal working hours from computers near his assembly station, but not at night or from computers in the marketing department. The means by which the user connects to the network can also be relevant.
PAGE 20
Access Control Concepts Network Access Control Technologies Network Access Control Technologies This solution design guide focuses on two general types of access control: ■ Authentication, authorization, and accounting (AAA)—controls (and tracks) which users access which resources on the network ■ Endpoint integrity—controls which endpoints are allowed on the network based on their compliance with policies for endpoint security settings AAA provides the traditional framework for controlling access to t
PAGE 21
Access Control Concepts Network Access Control Technologies Authentication Authentication is the process by which a device determines the identity of a user connecting to a network or attempting to access a resource. Authentication Factors. A human can identify another human in many different ways: by a name, a face, an ID badge, or knowledge of a certain piece of information. And a human can rely on his or her judgment to inform the identification.
PAGE 22
Access Control Concepts Network Access Control Technologies Unfortunately, although forging these physical devices is difficult, the devices can be lost or stolen. A user might also allow someone else to access his or her endpoint—in fact, this might be a common practice in your organization. Once an unauthorized user possesses the necessary device, he or she can access the network easily. ■ Something the user is—The previous two factors associate individuals with more or less arbitrary credentials.
PAGE 23
Access Control Concepts Network Access Control Technologies Note You can also configure the network to authorize unauthenticated users for certain—typically, very limited—rights. In addition to considering whether a user has authenticated successfully, a AAA server assigns rights based on user identity and time and location of access.
PAGE 24
Access Control Concepts Network Access Control Technologies ■ Other settings for the connection such as rate limits and quality of service (QoS) settings These settings affect how a user accesses network resources, rather than which resources a user accesses. For example, you can limit a user to 10 Mbps of bandwidth, or you can assign guest users’ traffic low priority. Accounting Accounting, the third AAA function, collects information from NASs about users and their activities.
PAGE 25
Access Control Concepts Network Access Control Technologies Accounting also enables billing; the accounting logs are forwarded to a billing server, and users are charged for the bandwidth and resources they have consumed. Network Access Control Architecture Before turning to methods for implementing a network access control solution, let’s consider the roles network devices play. There are many access control technologies; fortunately, the same basic architecture is used for all of them.
PAGE 26
Access Control Concepts Network Access Control Technologies NASs, which you learned about earlier in the AAA section, are also PEPs. The term NAS is typically used when discussing RADIUS. For consistency, however, this chapter will use the term PEP when discussing RADIUS. The PEP has two roles: ■ Access request generator—Forces endpoints to provide basic information about themselves (credentials) before accessing network resources.
PAGE 27
Access Control Concepts Network Access Control Technologies Identity-based management in the form of ProCurve IDM augments the standard PDP translator role. You will learn more about IDM in “ProCurve IDM” on page 1-58. For now, simply know that IDM helps the PDP factor user group, location, time, system, and—with the help of a network access controller—endpoint integrity into its decisions. Based on these inputs, IDM can provide policy instructions to the PEP in the form of various dynamic settings.
PAGE 28
Access Control Concepts Network Access Control Technologies Policy Repository The policy repository stores policies that the PDP draws on to make decisions. Stored policies include access criteria for users such as username and password, valid MAC address, IP address, location, and time of day. Usually network policies are stored as sub-elements within a directory that contains other policy-related information such as user credentials (username/password combinations) and device or network information.
PAGE 29
Access Control Concepts Network Access Control Technologies Network Access Control Process Figure 1-1 shows the typical components of the network access control architecture. Figure 1-1. Network Access Control Architecture You will learn more about how the four components interact in discussions of specific network access control technologies. For now, you should simply be familiar with the vocabulary and the most basic process: 1. An endpoint attempts to gain access to the network. 2.
PAGE 30
Access Control Concepts Network Access Control Technologies 5. If it authenticates the user, the PDP draws on additional policy information from the repository to authorize the user for particular resources. It then generates device-specific configuration instructions (such as the VLAN for the port) for the PEP. 6. The PEP configures its ports according to the instructions from the PDP. The user’s endpoint receives the appropriate level of access.
PAGE 31
Access Control Concepts Network Access Control Technologies In theory, a MAC address is unique and unalterable and therefore a good choice for identifying whether the endpoint should be allowed access. In practice, however, an attacker can spoof a MAC address relatively easily. If you are using IAS, you might encounter another problem. MAC addresses do not conform to the rules for a typical user account.
PAGE 32
Access Control Concepts Network Access Control Technologies Figure 1-2. The MAC-Auth Process Local MAC-Auth. ProCurve Networking’s Adaptive Edge Architecture (AEA) emphasizes control from the center—centralized policies enforced by edge devices. Centralizing policies saves IT staff time and ensures users a consistent network experience. However, an organization with a very small network might impose network access controls set up entirely on the edge device.
PAGE 33
Access Control Concepts Network Access Control Technologies Web-Auth Like MAC-Auth, Web-Auth enables end-users to authenticate and connect to the network without special utilities or configurations on their endpoints. The endpoints require a Web browser only. However, unlike MAC-Auth, a user must participate in the authentication process, entering credentials—a username and password—in a Web page. The network access control decision is based on the validity of the username and password.
PAGE 34
Access Control Concepts Network Access Control Technologies 7. The PEP reconfigures itself dynamically to forward or block all traffic from the MAC address associated with the request, depending on the access decision. If the accept response included authorization instructions, the PEP configures itself to enforce them—for example, assigning the user’s port to the specified VLAN. Some Web-Auth implementations allow rejected (or not-yet-authenticated) users to access an “Allow list” of Web sites.
PAGE 35
Access Control Concepts Network Access Control Technologies 802.1X The industry-standard Institute of Electrical and Electronics Engineers (IEEE) 802.1X protocol provides the most secure form of network access control. Its standardized framework enables vendor-neutral implementations. 802.1X binds the state of a user’s port (open or closed) to the user’s authentication state—ensuring that users are properly identified and controlled as soon as they connect to a network. Process.
PAGE 36
Access Control Concepts Network Access Control Technologies 6. The authentication server returns an accept or deny response to the PEP, based on the results of step 5. 7. The PEP keeps the port shut or opens the port to all traffic depending on the access decision. If the accept response included authorization instructions, the PEP configures itself to enforce them—for example, assigning the user’s port to the specified VLAN.
PAGE 37
Access Control Concepts Network Access Control Technologies Authentication Requirements Access control methods may impose some requirements on the endpoints: ■ MAC-Auth—None ■ Web-Auth—Web browser interface and user interaction ■ 802.1X—802.1X supplicant The following Windows OS versions include a native 802.1X supplicant: • Windows Vista • Windows XP • Windows 2000 SP4 Mac OS 10.3 also provides native support for 802.1X. The OpenX project has developed the Xsupplicant for Linux systems. An 802.
PAGE 38
Access Control Concepts Network Access Control Technologies PAP PAP is a simple protocol: the endpoint sends an authenticate request that includes the username and password in plaintext. The authentication server compares the password to the one stored for the user, and if the passwords match, the server grants the user access (as long as other policies allow the user access at that time and location).
PAGE 39
Access Control Concepts Network Access Control Technologies MS-CHAPv2 The most common version of CHAP used in contemporary networks is MSCHAPv2. MS-CHAPv2 builds on the basic CHAP process, but adds several capabilities. First, MS-CHAPv2 provides mutual authentication, which protects users and their credentials from hackers that pose as legitimate servers. MS-CHAPv2 also enables more sophisticated controls over the authentication process.
PAGE 40
Access Control Concepts Network Access Control Technologies EAP-Message Digest 5 (MD5). EAP-MD5 is a base-level authentication protocol similar to CHAP; for credentials, an endpoint submits a one-way hash of a random challenges and its password. This method has the advantage of simplicity, which makes implementation and configuration straightforward.
PAGE 41
Access Control Concepts Network Access Control Technologies In the first step—the initial TLS handshake—the server authenticates to the supplicant. The two devices use the public key in the server certificate to exchange cipher keys and create a symmetric encryption tunnel. In the second step—the secondary handshake—the supplicant submits credentials over the secure tunnel using a secondary authentication protocol.
PAGE 42
Access Control Concepts Network Access Control Technologies RADIUS As mentioned earlier, RADIUS is an industry-standard protocol for providing AAA services. However, this section describes the RADIUS protocol in its most limited sense, as the standard for communications between PEPs (devices such as switches and APs that offer users network access) and RADIUS servers (the authentication and possibly accounting server). RADIUS Messages.
PAGE 43
Access Control Concepts Network Access Control Technologies An AVP includes: ■ A name, which specifies the type of attribute—for example, “Username” or “Tunnel-Private-Group-ID” ■ A value, which is the specific value for that attribute for this supplicant at this time—for example, “Bob,” the name of the user who is attempting to connect, or “10,” the ID of Bob’s dynamic VLAN The RADIUS protocol defines approximately 50 attributes, including: ■ Username ■ Password ■ Type of service request ■ NAS
PAGE 44
Access Control Concepts Network Access Control Technologies RADIUS-PAP and RADIUS-CHAP, while not very secure, are more secure than simple PAP and CHAP. For example, a PEP and a RADIUS server have a shared secret, which authenticates their messages to each other. The PEP also encrypts PAP passwords with this secret, lending a limited degree of security to PAP. In addition to PAP and CHAP, the RADIUS protocol works with EAP.
PAGE 45
Access Control Concepts Network Access Control Technologies 4. The AP sends an 802.11 association response, and—if the response is “success”—the association comes up. The AP usually sends an association success response. However, if the AP implements MAC-Auth, it first extracts the MAC address from the association request and forwards it in an access request to a RADIUS server. The AP then sends a success or failure response depending on whether the RADIUS server accepts or rejects the request. 5.
PAGE 46
Access Control Concepts Network Access Control Technologies In terms of access control, dynamic WEP is quite secure. Dynamic WEP also provides better data protection: because each station has its own key, a hacker finds it much more difficult to collect enough keys to crack one. Wi-Fi Protected Access (WPA)/WPA2, however, provides an even higher measure of security. WPA/WPA2 and 802.11i 802.
PAGE 47
Access Control Concepts Network Access Control Technologies Access Control Rights—Dynamic Settings The overview of “Authorization” on page 1-8 gave a few examples of how rights are assigned and enforced. Let’s now look in more detail at ways to control users’ access after they connect. Keep in mind that you can set up these access controls in one of two ways: ■ Manually ■ Dynamically as a part of the AAA architecture—This guide will focus on this option.
PAGE 48
Access Control Concepts Network Access Control Technologies A network typically includes VLANs such as these: ■ Management VLAN—This type of VLAN includes the IP addresses on infrastructure devices through which you manage and configure those devices. It may also include the endpoints which network administrators use to access the infrastructures devices. On ProCurve devices, you can enable a Secure Management VLAN, which does not allow traffic to be routed in or out of it.
PAGE 49
Access Control Concepts Network Access Control Technologies Note In “Endpoint Integrity” on page 1-36, you will learn about solutions that test endpoints for compliance with security policies. A network that enforces endpoint integrity might include additional VLANs: ■ Test VLANs—The VLANs in which endpoints are placed after they connect to the network but before they are tested by the network access controller. A test VLAN can the same as the quarantine VLAN (described below) or its own VLAN.
PAGE 50
Access Control Concepts Network Access Control Technologies If a packet’s IP header matches the ACE, the device treats the packet as indicated in the ACE, forwarding it (“allow”) or dropping it (“deny”). In effect, the ACL controls which devices can access which other devices using which applications. For example, you want to allow devices in VLAN 100 to access a private Web server.
PAGE 51
Access Control Concepts Network Access Control Technologies The policy also specifies the action taken when an endpoint fails the test. Most network access controllers generally quarantine the endpoint (see “Quarantine Methods” on page 1-42). Sometimes, however, network access controllers simply send an email message to notify the network administrator. Different network access controllers support different tests.
PAGE 52
Access Control Concepts Network Access Control Technologies ■ Post-connect testing—This testing takes place at set intervals throughout the connection, ensuring endpoints continue to comply. Post-connect testing is a key component for complete endpoint integrity enforcement. Without it, end-users quickly learn that they can, for example, raise browser security settings, connect to the network, and immediately lower the settings again.
PAGE 53
Access Control Concepts Network Access Control Technologies However, there are some drawbacks to using software-based agents: ■ Deployment—Installing the agent on each endpoint consumes time and IT resources. Even if the user downloads the agent manually, that installation requires the one-time user interaction. ■ Memory consumed on endpoints—The agent remains on the endpoint permanently, which does take memory. However, most agents are relatively small files. Transient Agents.
PAGE 54
Access Control Concepts Network Access Control Technologies Agentless. Agentless solutions use applications that are already available on the endpoint, such as Windows Management Interface (WMI), Simple Network Management Protocol (SNMP), or Microsoft Remote Procedure Call (RPC), to provide the agent functions. Note The ProCurve NAC 800’s agentless option relies on RPC, which provides a flexible framework for a variety of communications between remote devices, including endpoint integrity checks.
PAGE 55
Access Control Concepts Network Access Control Technologies Note The NAC 800 allows endpoints to automatically download the NAC EI agent the first time that they are tested—combining the ease of deployment of the a transient agent with the advantages of a permanent agent. However, the automatic download requires ActiveX. ■ Transient-agent based—Web browser with ActiveX and JavaScript allowed in the security settings Web browsers implement security in slightly different ways.
PAGE 56
Access Control Concepts Network Access Control Technologies Endpoint Integrity Posture As a network access controller tests an endpoint, it assigns it a posture, depending on the results of the test: ■ Unknown—Not yet tested ■ Healthy—Passed all tests ■ Check-up—Failed at least one test but allowed temporary access ■ Quarantine—Failed at least one test (and a temporary access period, if allowed, has expired) ■ Infected—Infected with malware such as a virus, worm, or spyware The network access con
PAGE 57
Access Control Concepts Network Access Control Technologies The network access controller enters the 802.1X framework as either an authentication server or a supplement to the authentication server. It inserts checking an endpoint’s integrity into the process of making access decisions. For example, the network access controller detects and tests all endpoints when they first connect to the network.
PAGE 58
Access Control Concepts Network Access Control Technologies Examples include: ■ A VPN—Remote users access the private network through the Internet. Each remote user sets up a secure tunnel with the network’s VPN gateway device. Checking the integrity of the remote endpoints is particularly important, because they are otherwise beyond your control.
PAGE 59
Access Control Concepts ProCurve NAC 800 ProCurve NAC 800 You should now have a solid grounding in access control concepts, both those relating to authentication and those relating to endpoint integrity.
PAGE 60
Access Control Concepts ProCurve NAC 800 A NAC policy consists of a list of tests. The NAC 800 provides a wide array of customizable tests, and Chapter 2: “Customer Needs Assessment” gives you some guidelines in choosing tests that meet your needs. The NAC policy also dictates whether an endpoint that fails a particular test should be quarantined immediately, quarantined after a grace period, or not quarantined at all.
PAGE 61
Access Control Concepts ProCurve NAC 800 6. If the credentials are correct, IAS contacts the NAC 800 and requests the endpoint’s integrity posture. (You can learn how to configure the IAS server to do so in the ProCurve Access Control Implementation Guide.) 7. Initially, the posture is Unknown. IAS calls the SAIASConnector (a file installed on the IAS server). The connector should contain a policy that associates the Unknown posture with a test VLAN. IAS sends this VLAN assignment to the PEP. 8.
PAGE 62
Access Control Concepts ProCurve NAC 800 DHCP Deployment With this deployment method, the NAC 800 intercepts and responds to endpoints’ DHCP requests, assigning them IP addresses on a quarantine subnet. It then tests endpoints for compliance with NAC policies. Healthy endpoints are allowed to receive DHCP addresses from the network DHCP server and are granted complete network access. Non-compliant endpoints, on the other hand, remain in the quarantine subnet.
PAGE 63
Access Control Concepts ProCurve NAC 800 Note By default the NAC 800 intercepts all DHCP requests. In a network that uses DHCP relay, however, you can configure the NAC 800 to respond to only those requests with source IP addresses in the quarantine and nonquarantine subnets. (The source IP address originates from the DHCP relay device; the endpoint, of course, does not yet have one). 5. Note Initially, an endpoint has the Unknown posture.
PAGE 64
Access Control Concepts ProCurve NAC 800 Because remediation is a key component of an endpoint integrity solution, the NAC 800 does not follow this strategy. Instead, it places quarantined endpoints in a subnet that exists in the private network, albeit in carefully controlled way. You can establish the quarantine subnet in one of these ways: ■ The NAC 800 assigns to quarantined endpoints IP addresses that are valid but unused in the production network.
PAGE 65
Access Control Concepts ProCurve NAC 800 • VLAN 3 IP address = 192.168.12.1/24 IP address = 192.168.13.1/24 Restricting Access in the Quarantine Subnet. The NAC 800 uses one of these methods to enforce the quarantine: Note ■ It does not assign quarantined endpoints a default gateway in their DHCP configuration, and it sends them subnet masks of 255.255.255.255. In effect, each quarantined endpoint is isolated within a subnet that consists of itself alone.
PAGE 66
Access Control Concepts ProCurve NAC 800 Note A cluster of ESs can connect to the choke point and test endpoints using the policies stored on the MS. Because the multiple NAC 800s may create a loop in the topology, remember to set up Spanning Tree Protocol (STP) or Rapid STP (RSTP) on the devices to which they connect. Process for Inline Quarantining. A NAC 800 follows this process to control an endpoint’s access to the network: 1. The endpoint connects to the network.
PAGE 67
Access Control Concepts ProCurve NAC 800 ■ EAP • PEAP with MS-CHAPv2 • TLS • TTLS with MD5 • GTC • LEAP The NAC 800’s FreeRADIUS server can also log users’ activity and function as an accounting server. To configure the NAC 800 to provide RADIUS services, you choose the 802.1X deployment and quarantining method. You then prevent the NAC 800 from testing endpoint integrity.
PAGE 68
Access Control Concepts ProCurve NAC 800 Process for 802.1X Quarantining. The NAC 800 imposes this process to control a user’s (and his or her endpoint’s) network access: 1. 1-54 The endpoint establishes a Data-Link Layer connection to the PEP: • An Ethernet cable is plugged into a switch, and the link opens. • A wireless endpoint associates with a wireless AP. 2. The PEP shuts down the connection to all traffic except EAP authentication messages. It sends an EAP challenge to the endpoint’s 802.
PAGE 69
Access Control Concepts ProCurve NAC 800 Figure 1-5. The User Authenticates and Is Placed in the Test VLAN 8. Detecting the endpoint that has been placed on the test VLAN, the NAC 800 begins to check its compliance with NAC policies. The NAC 800 needs to receive mirrored DHCP traffic on its port 2 to detect the endpoint. Note In a cluster of ESs, any ES can test the endpoint; they share information with each other. 9. When the testing is completed, the endpoint has gained a new posture.
PAGE 70
Access Control Concepts ProCurve NAC 800 Figure 1-6. The NAC 800 Tests the User and Forces the User to Re-authenticate 10. Steps 2 to 7 repeat. Now, however, the user is assigned to a new VLAN based on its new posture: • If the endpoint has the Healthy posture (complies with your policies) or the Check-up posture (granted temporary access), the user receives an assignment for a normal user VLAN. You can use IDM to customize network access for different users groups, times, and locations.
PAGE 71
Access Control Concepts ProCurve NAC 800 • If, on the other hand, the endpoint has the Quarantine or Infected posture, the user is placed in the quarantine or infected VLAN. Network access in the quarantine and infected VLANs is limited, typically to remediation services, in one or several of these ways: – The endpoint is assigned (via dynamic settings created with IDM) a rate limit and list of accessible resources.
PAGE 72
Access Control Concepts ProCurve IDM ProCurve IDM ProCurve IDM manages RADIUS servers, including NAC 800s. IDM is a centralized, easy-to-use solution for assigning network rights to users. It offers fine-grained network access control that is based on user identity—and other configurable criteria—rather than on network equipment alone. The IDM server runs as a plug-in to the ProCurve Manager Plus (PCM+) network management software and provides configuration and event logging services to the IDM agent.
PAGE 73
Access Control Concepts ProCurve IDM Note The IDM server and the PCM+ server can run on the same hardware as the RADIUS server and the IDM agent. For example, you could install PCM+/IDM, IAS, and the IDM agent on the same Windows Server 2003. However, IDM often controls multiple RADIUS servers running on other devices. Those RADIUS servers also require the IDM agent. You must install the IDM agent on a third-party RADIUS server, but the NAC 800 automatically includes the agent.
PAGE 74
Access Control Concepts ProCurve IDM Figure 1-8.
PAGE 75
2 Customer Needs Assessment Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3 Types of Users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5 Temporary Employees . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-6 Guests . . . . . . . .
PAGE 76
Customer Needs Assessment Contents Evaluate the Existing Network Environment . . . . . . . . . . . . . . . . . . . . . . . 2-25 Size . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Edge Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-25 Endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-28 Workstations and Laptops . . . . . . . . . . . . .
PAGE 77
Customer Needs Assessment Overview Overview As described in Chapter 1: “Access Control Concepts,” network access control is more than just granting legitimate users access to the network while blocking unauthorized people.
PAGE 78
Customer Needs Assessment Overview To further protect your company and its network, you must evaluate your company’s risk from endpoints as well as from users. Because endpoints are oftentimes allowed onto the network without scrutiny, companies cannot guarantee that each endpoint is virus free or running the latest patches for security vulnerabilities.
PAGE 79
Customer Needs Assessment Types of Users Types of Users For network access, one size does not fit all users. Many different types of users need to access the company network, and these users all need varying resources and services. When you are planning access control for a network, it is helpful to begin by listing groups of users who share the same general characteristics and need the same network resources.
PAGE 80
Customer Needs Assessment Types of Users In the example, the Berlin_developers group might need to be subdivided based on the projects to which workgroups are assigned.
PAGE 81
Customer Needs Assessment Types of Users Network Skills After you identify the groups of users who need access to the network, you should list their typical computer skill level. There are two reasons that the users’ level of technical expertise matters. First, technically sophisticated users will have less trouble adapting to a more complex access control method.
PAGE 82
Customer Needs Assessment Types of Users Recording Information about Users As you collect information about network users, you may want to use a table to record the information and to make that information more accessible. Table 2-1 provides an example. Table 2-1. Network Users Group Location Access Times Network Resources Computer Skills Human resources Main office, southwest side 24 x 7 Server 10.1.1.50 Email Internet Printer 10.1.1.200 Color printer 10.1.1.
PAGE 83
Customer Needs Assessment Types of Connections Types of Connections After you identify the users who need access to the network, you should determine the types of connections each group of users needs. There are three basic types of network access: ■ Wired ■ Wireless ■ Remote Wired Connections Most regular and temporary employees will have a wired connection. For each user, you should list any special considerations.
PAGE 84
Customer Needs Assessment Types of Connections Remote Connections Which users should be permitted to access the network through a remote location? Which resources should they be able to access from a remote location? Are users accessing the network through a virtual private network (VPN)? If so, how many routers or VPN gateways enable this access, and where are they located? How many endpoints access the network through each VPN gateway? How will remote users prove to the VPN gateway that they are legitima
PAGE 85
Customer Needs Assessment Types of Connections Group Permitted Connections Access Times Network Resources Accounting Wired only 24x7 Server 10.1.1.50 Email Internet Printer 10.1.1.201 Color printer 10.1.1.210 Guests—platinum partners Wireless only 8 a.m. to 5 p.m. Internet only Access Control Zones Based on your users’ access needs, you can begin to identify which network segments must support wired, wireless, or even remote access.
PAGE 86
Customer Needs Assessment Types of Connections Figure 2-1. Wireless and Wired Zones The type of network access can then be further categorized by the users who are accessing the network. There are two general categories: private, which requires tight access controls for known users such as employees, and public, which imposes access controls for less well-defined users such as guests.
PAGE 87
Customer Needs Assessment Types of Connections ■ Public wired zone—Supports guest users and provides wired connections for them. Typical examples of this zone might be meeting rooms and training rooms that are frequently used by visitors. These visitors might use desktop computers that are permanently connected to the network, or they might bring their own laptops and connect them to the network via a wired connection.
PAGE 88
Customer Needs Assessment Types of Connections Note that these zones are classifications for convenience; they provide a way to talk about the different needs that a network design must serve. Although typical of many network environments, they do not have hard boundaries.
PAGE 89
Customer Needs Assessment Determine Risk Tolerance Determine Risk Tolerance An important part of implementing access controls is evaluating your company’s risk tolerance. What type of data does your company store, and what are the consequences if a hacker breaches your network security and steals or damages that data? The more valuable your network assets are, the more severe the consequences if network security is compromised.
PAGE 90
Customer Needs Assessment Determine Risk Tolerance According to the report, a company’s stock price could decrease between “7.9 and 13.6 percent,” depending on the size of the company. In general, the larger the company, the more the stock price would decrease. (See Why Compliance Pays, p. 11.) Once you know the importance of your company’s network assets, you can determine its risk tolerance. If your company stores customers’ credit card numbers, it has a low risk tolerance.
PAGE 91
Customer Needs Assessment Determine Risk Tolerance ■ Federal Information Security Management Act of 2002 (FISMA)—FISMA is the primary legislation governing U.S. federal information security. Passed as part of the Homeland Security Act of 2002 and the E-Government Act of 2002, FISMA requires every government agency to secure information and the information systems that support its operations and assets.
PAGE 92
Customer Needs Assessment Determine Risk Tolerance Regulatory Compliance Although companies are expected to comply with these regulations, most fall short, according to the IT Policy Compliance Group. In its 2007 survey of 475 companies, the compliance group found that “eighty-seven percent of organizations—about 9 out of 10 firms—are not leveraging the appropriate compliance and IT governance procedures, which would reduce costs, business disruptions, and lost or stolen data.” (Why Compliance Pays, p. 4.
PAGE 93
Customer Needs Assessment Vulnerability to Attacks Vulnerability to Attacks Once you understand your company’s risk tolerance, you may want to quickly review the types of attacks that threaten your network. Again, this will help you set up your network controls to protect your network from these attacks. For example, it will help you determine whether or not you need endpoint integrity checking.
PAGE 94
Customer Needs Assessment Vulnerability to Attacks Many insider attacks occur without the knowledge of the user. A user may log in to the network with an infected workstation or an unpatched workstation that is vulnerable to infections. Laptops are particularly problematic because they are mobile and often plug into other networks, both public and private. Consequently, laptops have a higher risk of infection—and of spreading the infection in your network.
PAGE 95
Customer Needs Assessment Vulnerability to Attacks Malware This broad, general term describes software that is at best a nuisance and at worst destructive to your network devices. Any software designed to use network resources or infiltrate network devices without the knowledge or consent of the device owner is considered malware. You must protect your network against several types of malware. Adware. This software displays unwanted pop-up ads on an infected endpoint.
PAGE 96
Customer Needs Assessment Vulnerability to Attacks All networks need protection from malware, but your particular vulnerabilities depend to a certain degree on your environment. As you probably noticed in the descriptions above, users are often implicated in introducing malware—even if they do so unintentionally. If possible, you should meet with users and discuss how they use the Internet.
PAGE 97
Customer Needs Assessment Vulnerability to Attacks Worms often include instructions in their code to erase data and destroy network resources as well as to open security holes and backdoors that allow an attacker access to and control of the infected network device. Some worms can also disable antivirus and firewall software. And several worms can take over an infected computer to send thousands of spam emails and messages.
PAGE 98
Customer Needs Assessment Vulnerability to Attacks ■ Intrusion detection system (IDS)/intrusion prevention system (IPS)—These hardware and software solutions monitor network traffic and look for network intrusions and attacks. Attacks are detected either by benchmarking traffic usage and monitoring for deviations or by inspecting traffic and looking for known attack patterns.
PAGE 99
Customer Needs Assessment Evaluate the Existing Network Environment software or a personal firewall. It could also ensure that the endpoints attaching to your network are running the patches for their OS and applications. Although this design guide does not focus on the other security measures—namely Virus Throttle software, IPS/IDS, and Network Immunity Manager—you can take to protect your network, you should evaluate such measures in your overall network security strategy.
PAGE 100
Customer Needs Assessment Evaluate the Existing Network Environment If you plan to implement endpoint integrity, you should also determine if the switch supports port mirroring, which may be necessary to allow NAC 800s to detect endpoints. (Depending on the switch, this feature might be called port monitoring, local traffic mirroring, or port spanning.
PAGE 101
Customer Needs Assessment Evaluate the Existing Network Environment Figure 2-3. The AP as a Supplicant The ProCurve AP 530 and the AP 420 both include a supplicant. In addition, the radio ports (RPs) used with the Wireless Edge Services Module include a supplicant. Because it is common to use Web-Auth as the access control method for guests who access a wireless network, you should also determine if the AP supports this access method.
PAGE 102
Customer Needs Assessment Evaluate the Existing Network Environment Table 2-4. Recording Information about APs AP Vendor and Model Number Firmware Version Location Authentication Methods Supported 802.1X Supplicant AP 530 WA.01.19 Lobby • 802.
PAGE 103
Customer Needs Assessment Evaluate the Existing Network Environment Knowing the OSs being used on your network has two purposes: First, you can determine which OSs support 802.1X, which is required for the highest level of network access control security. For example, Windows 2000 requires Service Pack (SP) 2 for 802.1X support. (If you are not familiar with 802.1X, see Chapter 1: “Access Control Concepts.”) Windows NT and Windows ME, on the other hand, do not include an 802.1X supplicant.
PAGE 104
Customer Needs Assessment Evaluate the Existing Network Environment Table 2-5.
PAGE 105
Customer Needs Assessment Evaluate the Existing Network Environment However, if printers do not support 802.1X, note the location and the switch port used to connect the printers to the network. For these printers, you may be able to use MAC-Auth as the access control method. Record the same information for fax machines, scanners, and any other endpoints. You can use Table 2-6 as an example. Table 2-6.
PAGE 106
Customer Needs Assessment Evaluate the Existing Network Environment Remote Connections Which locations provide remote access to the network? How many routers or VPN gateways are configured to provide this remote access? Where are these routers and VPN gateways installed on the network? Subnets and VLANs For each network segment, record the subnet address. Are you using static virtual local area networks (VLANs)? If yes, please note which switches and APs support these VLANs.
PAGE 107
Customer Needs Assessment Evaluate the Existing Network Environment Network Diagram Ideally, you should have a network diagram, showing the switches at each location and the endpoints that connect to each switch. The diagram should list network subnets and VLANs for each switch.
PAGE 108
Customer Needs Assessment Determine Your Endpoint Integrity Requirements Determine Your Endpoint Integrity Requirements Once you identify the endpoints, the OSs, and the applications being used on the network, you can begin to determine the endpoint integrity requirements for those endpoints. That is, you can determine what an endpoint should be running and how it should be configured before it is allowed onto the network.
PAGE 109
Customer Needs Assessment Determine Your Endpoint Integrity Requirements Other tests relate to security settings in Internet Explorer, which allows you to define zones: ■ Intranet zone—allows you to define intranet sites that are inside the company’s firewall ■ Trusted zone—allows you to identify safe Web sites that you or your company trusts ■ Restricted zone—allows you to identify the sites that are not trusted or are known to host adware or other malware ■ Internet zone—includes all Internet site
PAGE 110
Customer Needs Assessment Determine Your Endpoint Integrity Requirements Select Security Settings for Your Company Like other security measures, Internet Explorer security settings require you to weigh tighter security against the users’ need for functionality. That is, the lower your Internet Explorer security settings, the higher the functionality. And conversely, the higher your Internet Explorer security settings, the lower the functionality. The NAC 800’s default settings are a good place to start.
PAGE 111
Customer Needs Assessment Determine Your Endpoint Integrity Requirements Any Web site that is not included in the other zones is automatically placed in the Internet zone. For these Web sites, the NAC 800 default setting is Medium. This setting provides protection against many types of attacks while still enabling functionality users might require to complete their jobs. If your company requires tighter security, you may need to change the settings for these zones.
PAGE 112
Customer Needs Assessment Determine Your Endpoint Integrity Requirements ■ Networks to which the endpoint connects—This check helps you to determine whether more endpoints than bargained for may be connecting through a single endpoint. For example, students at some universities transform their endpoints into wireless routers (connected to the university network on the Ethernet port and an ad hoc wireless network with a wireless card) and offer their friends access to the university network.
PAGE 113
Customer Needs Assessment The Human Factor The Human Factor In addition to evaluating your company’s requirements, you must consider what it will take to implement the necessary network access controls and endpoint integrity.
PAGE 114
Customer Needs Assessment The Human Factor IT Department Workload You must assess the workload of the IT staff.
PAGE 115
Customer Needs Assessment The Human Factor long the testing will take. You should also explain what happens when a workstation is quarantined and the steps they should take to make the workstation compliant. By taking some time to work with employees, you can avoid frustration and chronic complaints. Users will know exactly what to expect and will typically be more understanding if any problems occur.
PAGE 116
Customer Needs Assessment The Human Factor 2-42
PAGE 117
3 Designing Access Controls Contents Comprehensive Security Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-5 The Components . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-6 The Process of Designing Access Control Security . . . . . . . . . . . . . . . 3-8 Example Network . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8 Choose the Access Control Methods . . . . . . . . . . . . . . . . . . . . .
PAGE 118
Designing Access Controls Contents Make Decisions about Remote Access (VPN) . . . . . . . . . . . . . . . . . . . . . . 3-36 Decide Whether to Grant Remote Access . . . . . . . . . . . . . . . . . . . . . . 3-37 Select VPN Options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-38 Vulnerability and Risk Assessment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-40 Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 119
Designing Access Controls Contents ActiveX . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-62 Requirements for ActiveX Testing . . . . . . . . . . . . . . . . . . . . . . . . . 3-62 Advantages and Disadvantages of ActiveX Testing . . . . . . . . . . . 3-63 Agentless . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-63 Requirements for Agentless Testing . . . . . . . . . . . . . . . . . . . . . . .
PAGE 120
Designing Access Controls Contents Finalize Security Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106 User Groups and Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-106 Access Group Policies with IDM . . . . . . . . . . . . . . . . . . . . . . . . . 3-107 Access Policies without IDM . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-117 Create the NAC Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 121
Designing Access Controls Comprehensive Security Policy Comprehensive Security Policy After you carefully evaluate your company’s users, network, and risk tolerance, you can use all of the information that you have gathered to begin to create a comprehensive security policy. This written document will not only help you implement security consistently and appropriately for each user, but will also outline your security measures for the entire company, including endusers and upper management.
PAGE 122
Designing Access Controls Comprehensive Security Policy ness interests, and it is a complex process, encompassing many factors. The more careful you are in addressing each factor, the more effective your security controls will be. You can also enlist help from the people who will be most affected by your security policy—the users.
PAGE 123
Designing Access Controls Comprehensive Security Policy No matter what format you use, your security policy should include the following information: ■ Goals—Clearly state your overarching goals for writing a comprehensive security policy. These goals should align with your company’s business strategy. Having clear goals will help you determine if your security policy is successful. Over time, you can measure your company’s progress in reaching these goals.
PAGE 124
Designing Access Controls Comprehensive Security Policy The Process of Designing Access Control Security This chapter outlines a step-by-step process for designing your access control security. It explains each step in-depth, helping you to understand all the factors you must consider when completing that step. 1. Choose the access control methods. 2. Make decisions about remote access (VPN). 3. Choose the endpoint integrity deployment method. 4. Choose the endpoint integrity testing method. 5.
PAGE 125
Designing Access Controls Comprehensive Security Policy Figure 3-1. Diagram of the PCU Campus Until now, the network administrators have used a Lightweight Directory Access Protocol (LDAP)-compliant directory to control access to data and applications, but they have not enforced access control at the port. The lack of security has made the network vulnerable, and several problems have occurred.
PAGE 126
Designing Access Controls Comprehensive Security Policy In each area shown in Figure 3-1, the PCU IT staff must determine the users’ needs and the type of access the users require. After a thorough needs assessment, the IT staff has gathered the following information. 3-10 ■ Dormitories—The students need a combination of wired and wireless access for endpoints that they bring from home.
PAGE 127
Designing Access Controls Comprehensive Security Policy laptops. Resource endpoints consist of databases, specialized server clusters, the supercomputer, and other high-end computing components. The endpoints run a variety of OSs, including Linux, UNIX, and some Berkeley Software Division (BSD)-based systems. ■ Remote access—Faculty members access PCU’s LAN from home (or while away on sabbatical) via a virtual private network (VPN). (Students can access their email from home via HTTPS.
PAGE 128
Designing Access Controls Comprehensive Security Policy The PCU staff also creates a simple diagram of the current network configuration and assigns endpoints and resources to network access zones. Figure 3-3.
PAGE 129
Designing Access Controls Choose the Access Control Methods Choose the Access Control Methods As outlined in Chapter 1: “Access Control Concepts,” there are three access control methods: ■ MAC Authentication (MAC-Auth) ■ Web Authentication (Web-Auth) ■ 802.1X Each method has advantages and disadvantages, as Table 3-1 shows. Table 3-1.
PAGE 130
Designing Access Controls Choose the Access Control Methods Access Control Method Advantages Disadvantages Security Level 802.1X • Control over both users and • More network requirements High endpoints that access the such as an 802.1X-capable • High effort to network (because switch, 802.1X-capable crack—attackers must endpoints can have endpoints, and a RADIUS forge authorized user supplicants) server credentials to gain entry • In the wireless world, • 802.
PAGE 131
Designing Access Controls Choose the Access Control Methods Network Access Zones: Security What type of security do you need in each zone? As explained in Chapter 2: “Customer Needs Assessment,” when you are planning network access control, it is helpful to identify network zones, which are network segments or areas that provide a particular type of connection—wired, wireless, or remote. You can further categorize zones based on the type of users who are accessing the network in these areas.
PAGE 132
Designing Access Controls Choose the Access Control Methods Wired Zone Security Concerns Wired zones can be physically protected to some extent; that is, you can control physical access to the wire by allowing only authorized people to enter the buildings that contain the LAN. If would-be hackers cannot physically access the wires, they cannot tap into the wire and use a protocol analyzer to eavesdrop on wired communications.
PAGE 133
Designing Access Controls Choose the Access Control Methods provide access to even fewer network resources—such as a public printer and an Internet connection. ACLs should prevent guests from accessing sensitive network resources such as personnel files or financial data. Wireless Zone Security Concerns Because a wireless network is a shared medium, it requires different security measures to protect transmissions from eavesdroppers.
PAGE 134
Designing Access Controls Choose the Access Control Methods Table 3-3.
PAGE 135
Designing Access Controls Choose the Access Control Methods Authentication Method Encryption Options Advantages Disadvantages Web-Auth • None by default • Optional encryption possible, depending on AP • Ideal for public zones • User-based authentication • No configuration on endpoints—unless using optional encryption • No 802.
PAGE 136
Designing Access Controls Choose the Access Control Methods ■ Do your endpoints have 802.1X supplicants? Most reasonably up-to-date endpoints will meet this requirement. The following Windows versions include a native 802.1X supplicant: • Windows Vista • Windows XP • Windows 2000 Service Pack (SP) 3 or later Mac OS X 10.3 also provides native support for 802.1X. The OpenX project has developed the Xsupplicant for Linux systems.
PAGE 137
Designing Access Controls Choose the Access Control Methods If your environment cannot support either 802.1X or WPA/WPA2, you can implement static WEP. However, static WEP is seriously flawed and not recommended. Note The guidelines above were formulated under the assumption that you have control over the equipment that accesses your private wireless zone.
PAGE 138
Designing Access Controls Choose the Access Control Methods Example For example, PCU, like all universities, has a very low risk tolerance. The PCU network stores confidential information about both students and faculty. In addition, the faculty stores curriculum and tests on the network. The university cannot afford to have any of this information stolen. When factoring in only security, the PCU network administrators select the access control methods shown in Table 3-4. Table 3-4.
PAGE 139
Designing Access Controls Choose the Access Control Methods If you have a large number of users who are technically unsophisticated, you may need to factor in some training if you select 802.1X as the access control method. On the other hand, if you have a large number of highly knowledgeable users (such as university students), you will probably want to rule out less-secure access methods and focus on 802.1X combined with strict application and data access controls.
PAGE 140
Designing Access Controls Choose the Access Control Methods Table 3-7. Access Control Method by User Type and Sophistication Factor Private Wired Public Wired Private Wireless Public Wireless User type and sophistication • 802.1X • Web-Auth for the administration building only Web-Auth 802.
PAGE 141
Designing Access Controls Choose the Access Control Methods Table 3-8. Access Control Method by Administrative Workload Factor Private Wired Public Wired Private Wireless Public Wireless Administrative workload Web-Auth Web-Auth Web-Auth Web-Auth Endpoints What types of endpoints will connect to the network? Not all endpoints support the three access control methods equally. Some access control methods are more dependent on particular hardware or software than others.
PAGE 142
Designing Access Controls Choose the Access Control Methods Even gaming devices, such as Microsoft XBox 360, include a NIC, allowing them to connect to a network and support MAC-Auth. As part of your security policy, you must determine if you will allow gaming devices to access the network, and if you do grant them access, you must create a way for users to register their gaming devices so that you can set up MAC-Auth for them.
PAGE 143
Designing Access Controls Choose the Access Control Methods In addition to the endpoints listed in Table 3-10, the PCU network includes a UNIX supercomputer and servers. Authentication is not as critical for the supercomputer and servers because they are housed in a secure, locked room to which only a few people have keys. You should always secure physical access to your servers so that unauthorized users cannot access them and steal your data or change your configuration.
PAGE 144
Designing Access Controls Choose the Access Control Methods Table 3-12. Administrative Control Levels IT Administrative Control Description No control Owned and controlled by users; effecting change may be difficult. Some control Owned by the users or by the business; change may be possible, but may be inhibited by factors such as weak corporate policy, weak administrative controls, or corporate culture. Complete control Owned by the company; IT clearly has the ability to effect change.
PAGE 145
Designing Access Controls Choose the Access Control Methods Table 3-14. Authentication Method by Administrative Control Factor Private Wired Administrative control 802.1X Public Wired Private Wireless Public Wireless Web-Auth 802.1X with WPA/ WPA2 Web-Auth Network Infrastructure Devices Finally, look at your existing network infrastructure: ■ What access methods do your network infrastructure devices support? ■ Which network infrastructure devices have 802.
PAGE 146
Designing Access Controls Choose the Access Control Methods For the wireless zones, the APs should implement the access control methods you select as long as they are capable of doing so. In some cases, the switch port to which the AP connects might enforce the access control instead (the AP might still require encryption); however, this strategy is less desirable for several reasons: ■ When the AP implements 802.1X authentication, the EAP exchange furthers the negotiation of secure per-session keys.
PAGE 147
Designing Access Controls Choose the Access Control Methods Network Infrastructure Devices as 802.1X Supplicants If you implement 802.1X on the ports at your edge switches, you will want to authenticate network infrastructure devices (such as APs or even switches) as well as endpoints. This prevents anyone from attaching rogue APs and other unauthorized devices that could compromise your network security.
PAGE 148
Designing Access Controls Choose the Access Control Methods Table 3-18. Network Access Control Capabilities of ProCurve Edge Switches ProCurve Switches 802.1X Supplicant 5400zl X 5300xl X 4200vl X 4100gl X 3500yl X 3400cl X 2900 X 2810 X 2800 X 2600 X 2510 2500 1800 1700 Bringing All of the Factors Together Now that you have evaluated your network with regard to the relevant factors, you can determine which access control methods are feasible for each zone.
PAGE 149
Designing Access Controls Choose the Access Control Methods Table 3-19. Access Control Methods by Feasibility MAC-Auth Web-Auth 802.1X Public wired Usually not feasible if users Feasible because endpoints are providing their own with user interfaces typically endpoints—unless you ask have a Web browser. users for the MAC addresses of their endpoints. Feasible if your company provides the endpoint (in a lab, for example). Typically not feasible when users provide their own endpoint.
PAGE 150
Designing Access Controls Choose the Access Control Methods The value in the “Total” row might yield a good result, but you need to look more closely at the factors because some might be more critical than others. For example, if one of your switches does not support 802.1X, you would have to select another access control method, regardless of the other factors (unless you have the budget to purchase a new switch).
PAGE 151
Designing Access Controls Choose the Access Control Methods Table 3-21. Preliminary Decisions for the Access Control Method Factor Weight Private Wired Public Wired Private Wireless Public Wireless Security 3 • 802.1X • Web-Auth for the administration building only 802.1X 802.1X with WPA/ WPA2 802.1X with WPA/ WPA2 User type and sophistication • 2 for private zones • 3 for public zones 802.1X Web-Auth 802.
PAGE 152
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-22. Access Control Methods for Each Zone Zone Access Control Method Private wired 802.1X and MAC-Auth (for endpoints that do not support 802.1X) Public wired Web-Auth, except for headless devices, which use MAC-Auth Private wireless 802.1X with WPA/WPA2 Public wireless Web-Auth Remember that the PCU network administrators noted that the users in the administration building would need some help if 802.
PAGE 153
Designing Access Controls Make Decisions about Remote Access (VPN) Decide Whether to Grant Remote Access You must first decide whether or not you will even grant remote access. You must weigh the initial cost and hassle of setting up a VPN against the benefits, which can be numerous. Establishing a VPN entails certain costs, some of which are listed in Table 323. You can minimize these costs, however.
PAGE 154
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-24. Advantages of Remote Access Advantages Explanation Increased productivity Users can access data and perform work tasks when out of the office Increased employee satisfaction Some users may be able to work more flexible hours or telecommute from home. Others escape the frustration of a long commute; they can focus on work rather than on traveling to the office.
PAGE 155
Designing Access Controls Make Decisions about Remote Access (VPN) Note The IPsec protocol in particular requires you to design a detailed security policy. In addition to the options listed above, policies include parameters such as the Diffie-Hellman group, the IKE initiate and response mode, and separate encryption and hash algorithms for the temporary IKE security association (SA).
PAGE 156
Designing Access Controls Make Decisions about Remote Access (VPN) Protocol Authentication Methods Encryption Protocols and Algorithms Client Gateway L2TP/IPsec IKE • Preshared key (password) • Digital certificates: – RSA – DSA ESP, integrity and privacy: • MD5 • SHA-1 • DES • 3DES • AES Windows native • Windows Server 2000 or 2003 • Other vendors: – Software built into router or firewall – Hardware appliance PPTP • Microsoft Challenge Handshake Authentication Protocol version 2 (MS-CHAPv2) (pass
PAGE 157
Designing Access Controls Make Decisions about Remote Access (VPN) First, you need to consider how remote users will authenticate. Digital certificates provide the greatest security. Passwords (preshared keys) open a couple of vulnerabilities: ■ Hackers can attempt to collect the passwords. IKE addresses this vulnerability by sending the password (preshared key) over a secure tunnel (IKE SA). PPTP with MS-CHAPv2, which also authenticates users with passwords, is less secure.
PAGE 158
Designing Access Controls Make Decisions about Remote Access (VPN) User Type and Sophistication Which users are connecting to the network, and what level of expertise do they have? Although you can make a VPN available to whomever you choose, remote access is commonly reserved for members of your organization. (That is, you do not provide VPN connections for guest users.) Therefore, you can typically expect a certain degree of interaction with the users.
PAGE 159
Designing Access Controls Make Decisions about Remote Access (VPN) has a valid certificate installed on it. If so, the digital certificate method shouldn’t pose problems even for less skilled users. If you use PPTP, users can log in with their normal credentials and have one fewer password to remember. Finally, encryption algorithms are similar as far as ease in selecting them in a client’s security policy.
PAGE 160
Designing Access Controls Make Decisions about Remote Access (VPN) Administrative Workload and IT Budget Do network administrators have the time and resources to establish the VPN? How much budget has your organization allocated for this task? No matter which VPN protocol is selected, IT staff must dedicate some time to configuring the VPN gateway and more time still to configuring VPN clients or training users how to configure the clients.
PAGE 161
Designing Access Controls Make Decisions about Remote Access (VPN) When factoring in only administrative workload and IT budget, the PCU network administrators have selected the options shown in Table 3-28. Table 3-28.
PAGE 162
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-29. Endpoint Compatibility for Remote Access OS Native Capabilities • Windows Vista • PPTP IPsec with IKE • L2TP/IPsec • Vendor client • Secure Socket Tunneling Protocol (SSTP)—not discussed in this guide With VPN Client • Windows XP • Windows 2003 Server • Windows 2000 • PPTP • L2TP/IPsec IPsec with IKE • ProCurve VPN Client • Other vendor client Macintosh OS X 10.
PAGE 163
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-30.
PAGE 164
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-31. Selecting VPN Options Based on Existing Network Infrastructure Factor VPN Protocol Authentication Method Encryption Existing network infrastructure IPsec with IKE Digital certificates Any Client Gateway ProCurve VPN Client Secure Router 7203dl Bringing All Factors Together Having considered the factors above, you can select options for your VPN. You can use Table 3-32 to make your final decision.
PAGE 165
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-32. Preliminary Decisions for VPN Options Factor Weight VPN Protocol Authentication Method Encryption Client Gateway Security User type and sophistication Administrative workload and IT budget Endpoint and administrative control Existing network infrastructure Total Example For example, Table 3-33 lists the choices that the PCU network administrators have made, based on each factor.
PAGE 166
Designing Access Controls Make Decisions about Remote Access (VPN) Table 3-33.
PAGE 167
Designing Access Controls Choose the Endpoint Integrity Deployment Method Choose the Endpoint Integrity Deployment Method After selecting an access control method, you must turn your attention to endpoint integrity. Specifically, you must determine how you will deploy the ProCurve Network Access Controller (NAC) 800. As explained in Chapter 1: “Access Control Concepts,” the NAC 800 can be deployed in three ways, which correspond with the quarantine method: ■ 802.
PAGE 168
Designing Access Controls Choose the Endpoint Integrity Deployment Method An exception might be when you enforce Web-Auth on wireless LANs (WLANs). You can use the inline deployment method if the wireless network meets these requirements: ■ ■ Traffic from the wireless network is forwarded into the rest of the network at one or two choke points: • You are using a Wireless Edge Services Module, which can act as a choke point.
PAGE 169
Designing Access Controls Choose the Endpoint Integrity Deployment Method Table 3-34. Options for Endpoint Integrity Deployment Method by Access Control Method Access Control Method Private Wired Public Wired Private Wireless Public Wireless 802.1X 802.1X 802.1X 802.1X 802.1X 802.1X with MAC-Auth 802.1X for headless devices 802.1X 802.1X 802.1X MAC-Auth—switches 802.1X and APs support dynamic VLANs 802.1X 802.1X 802.
PAGE 170
Designing Access Controls Choose the Endpoint Integrity Deployment Method The DHCP deployment is less secure because sophisticated users can circumvent the endpoint integrity checking. If users configure their endpoint with a valid static IP address (rather than relying on the DHCP server to provide an address), their endpoint will not be quarantined even if it fails endpoint integrity tests.
PAGE 171
Designing Access Controls Choose the Endpoint Integrity Deployment Method Table 3-36. Security Level of Deployment Methods Inline 802.1X DHCP Security provided High High Medium Security mechanism The NAC 800 is physically Compliant endpoints are placed between the endpoint dynamically assigned a and network resources. VLAN; non-compliant endpoints are quarantined in a separate VLAN.
PAGE 172
Designing Access Controls Choose the Endpoint Integrity Deployment Method traffic mirroring, traffic can be mirrored from a local switch to a remote switch. This gives you greater flexibility in placing your NAC 800 in an 802.1X deployment. (For more information, see “NAC 800 as the RADIUS Server” on page 3-94.) For the DHCP deployment method, you must be using DHCP, which should not be a barrier for a network of any size.
PAGE 173
Designing Access Controls Choose the Endpoint Integrity Deployment Method For wireless and wired connections, however, you will primarily base your decision on the factors discussed in the previous sections. Table 3-39.
PAGE 174
Designing Access Controls Choose the Endpoint Integrity Deployment Method Table 3-41. Preliminary Decisions for the Endpoint Integrity Deployment Method Factor Weight Private Wired Public Wired Private Wireless Public Wireless Remote Selected access control method 1 802.1X DHCP 802.1X DHCP n/a Security 2 802.1X Inline 802.1X Inline Inline Existing network infrastructure 4 802.1X DHCP 802.1X DHCP Inline Connection type 3 n/a n/a n/a n/a Inline 802.1X DHCP 802.
PAGE 175
Designing Access Controls Choose Endpoint Integrity Testing Methods Choose Endpoint Integrity Testing Methods The endpoint integrity testing method determines how a NAC 800 accesses endpoints and tests them. (The testing method does not affect which tests the the NAC 800 performs; these tests are selected in a NAC policy, which you will formulate in “Create the NAC Policies” on page 3-120.
PAGE 176
Designing Access Controls Choose Endpoint Integrity Testing Methods Testing Method Advantages Disadvantages Agentless • There is no installation on the endpoint. • There is no user interaction. • The endpoint must have four ports (137, 138, 139, and 445) opened on its firewall. • Admin credentials for the endpoint must be known. • RPC must be running on the endpoint. (It is enabled by default on all testable endpoints.
PAGE 177
Designing Access Controls Choose Endpoint Integrity Testing Methods Figure 3-4. InstallShield Wizard for the NAC EI Agent ■ Manually—You can instruct users to access the NAC 800 and download the NAC EI agent manually. The NAC 800 makes the agent available at this URL: https://:89/setup.exe A user might choose this option because he or she does not want to enable ActiveX (required for automatic installation).
PAGE 178
Designing Access Controls Choose Endpoint Integrity Testing Methods Note This rule has one exception. You must open port 1500 on an endpoint that meets these three conditions: ■ Is unmanaged ■ Runs Windows XP ■ Uses a non-SP2 firewall such as Norton Advantages and Disadvantages of NAC Agent Testing The NAC agent can be installed on any Windows endpoint capable of being tested (Windows 98 or later).
PAGE 179
Designing Access Controls Choose Endpoint Integrity Testing Methods Advantages and Disadvantages of ActiveX Testing The ActiveX agent does not remain on the endpoint and does not require maintenance or upgrades—saving overhead. Generally, the NAC 800 can test an endpoint through its firewall, automatically opening the necessary ports. However, while the NAC agent requires a one-time installation and user interaction, the ActiveX agent requires that interaction every time an endpoint connects.
PAGE 180
Designing Access Controls Choose Endpoint Integrity Testing Methods Requirements for Agentless Testing To undergo agentless testing, the endpoint must make its RPC service available to the NAC 800. The endpoint must meet these requirements: ■ RPC service (native on all testable Windows OSs) is supported and activated. ■ File and print sharing is enabled. ■ Ports 137, 138, 139, and 445 are open on the endpoint’s firewall.
PAGE 181
Designing Access Controls Choose Endpoint Integrity Testing Methods Transparent Testing The NAC 800 tries to implement a testing method transparently, with little or no interaction from users. It will automatically try each testing method in the following order: 1. The NAC 800 tries to test with the NAC EI agent. 2. If no agent is installed on the endpoint, the NAC 800 tries to install the ActiveX agent. 3.
PAGE 182
Designing Access Controls Choose Endpoint Integrity Testing Methods Figure 3-5. Home > System configuration > Cluster setting defaults > Agentless credentials window on the NAC 800 2. 3-66 Click the add administrator credentials link.
PAGE 183
Designing Access Controls Choose Endpoint Integrity Testing Methods Figure 3-6. Home > System configuration > Cluster setting defaults > Agentless credentials > Add Windows administrator credentials window 3. Enter the information for your network and click ok. After you enter these credentials, the NAC 800 can use the agentless testing method. Testing with User Interaction If the endpoint cannot be tested transparently (without users’ interaction), the NAC 800 can display end-user access screens.
PAGE 184
Designing Access Controls Choose Endpoint Integrity Testing Methods Figure 3-7. Home > System configuration > Cluster setting defaults > Testing methods window On this window, you select the testing methods for which the NAC 800 attempts user interaction. In other words, these settings control which enduser access screens the NAC 800 displays to users.
PAGE 185
Designing Access Controls Choose Endpoint Integrity Testing Methods all three testing methods are selected, the order determines which end-user access control screen is presented first to the user, which one is presented second, and which one third. For example, if the NAC EI agent is configured as the first testing method and the agentless is second, users will first see the NAC EI agent installation screen.
PAGE 186
Designing Access Controls Choose Endpoint Integrity Testing Methods In this case, your choice of testing methods is limited to ActiveX because the requirements for ActiveX are less stringent. The browser must be configured to allow JavaScript and ActiveX. (If Windows XP endpoints are running a nonSP2 firewall, port 1500 must be opened. By default, the Windows XP firewall opens port 1500.) If you have more control over endpoints, you can require users to download and run the NAC EI agent.
PAGE 187
Designing Access Controls Choose Endpoint Integrity Testing Methods Post-Connect Testing If you implement endpoint integrity testing only when users first connect to the network, sophisticated users quickly learn that they can change their security settings after this pre-connect testing is completed. For example, the user can change the browser’s security settings to an acceptable level, wait until testing is complete, and then drop the settings to a lower level.
PAGE 188
Designing Access Controls Choose Endpoint Integrity Testing Methods The PCU network administrators also want to use the NAC EI agent for the public wired and private wireless zones. Although some students and guest users may refuse to download an agent to their endpoint, the PCU network administrators still want to offer this option. As a backup testing method, the network administrators will use the ActiveX testing method.
PAGE 189
Designing Access Controls Choose Endpoint Integrity Testing Methods Sophisticated users, on the other hand, are so comfortable changing settings that you may have to take measures to prevent them from trying to avoid the testing process. With the ActiveX testing method, for example, users could close their Web browser to bypass the post-connect testing. Table 3-48.
PAGE 190
Designing Access Controls Choose Endpoint Integrity Testing Methods Administrative Workload If users are unwilling or unable to help with the initial setup of the testing method, the task is left to the IT staff. If you have a large number of endpoints, some types of agent setup can be too burdensome. For example, the agentless testing method requires file and print sharing to be enabled on the endpoint and the NAC 800 specified host for such sharing.
PAGE 191
Designing Access Controls Choose Endpoint Integrity Testing Methods Example. Because the PCU network administrators are relying on users to perform setup steps, they maintain most choices they made based on user sophistication. However, because this factor includes only ease of setup and not potential ways users can evade testing, ActiveX is more desirable. Table 3-51.
PAGE 192
Designing Access Controls Choose Endpoint Integrity Testing Methods If PCU network administrators were concerned about the small surges when classes begin and at the beginning of the school year, they might choose the agentless method. However, the PCU network has been designed to handle these surges. Based solely on the network’s capability to handle overhead, the PCU network administrators choose either the NAC EI agent or ActiveX testing method. Table 3-52.
PAGE 193
Designing Access Controls Choose Endpoint Integrity Testing Methods Example. After totaling all of the methods that seem desirable according to one factor or another (see Table 3-54), the PCU network administrators decide that the NAC EI agent and the ActiveX agent are the most useful testing methods in the public zones. They will install the agent on computers in computer labs, and they will train support staff in guiding guests through automatically installing the agent.
PAGE 194
Designing Access Controls Choose RADIUS Servers Choose RADIUS Servers As you will recall from Chapter 1: “Access Control Concepts,” the authentication architecture consists of four primary components: ■ Endpoint ■ Policy enforcement point (PEP) ■ Policy decision point (PDP) ■ Policy and credential repository Figure 3-8. Network Authentication Architecture In this step, you will select and decide how to deploy your PDPs and policy repositories.
PAGE 195
Designing Access Controls Choose RADIUS Servers RADIUS Servers in a Network Without Endpoint Integrity The first PDPs discussed in this chapter are RADIUS servers, which provide these authentication, authorization, and accounting (AAA) services: ■ Authenticate end-users—verify that users are who they claim to be ■ Authorize end-users—grant users rights based on their identities ■ Create accounting records—collect information about end-user activity, including when users connect, how long they connect,
PAGE 196
Designing Access Controls Choose RADIUS Servers Table 3-55. General Combination PEPs PDPs Policy/Credential Repository • Switch • AP • Wireless Edge Services Module • Software RADIUS server (optionally managed by IDM) • NAC 800 (optionally managed by IDM) Directory service ■ Integrated server—The RADIUS servers are built in to PEPs. They check credentials (and possibly limited policies) by binding to a central directory service. Table 3-56.
PAGE 197
Designing Access Controls Choose RADIUS Servers ■ Integrated server/proxy to turnkey server—RADIUS servers are built in to PEPs. The built-in RADIUS servers proxy requests to one or more external RADIUS servers, which store all credentials and policies. IDM is a good option for configuring policies on the turnkey RADIUS server. Again, IDM can manage credentials for NAC 800s only. Table 3-59.
PAGE 198
Designing Access Controls Choose RADIUS Servers Table 3-63 shows the appropriate number of users for each strategy for combining network access control components. As you can see, you should choose the general option for a large network while the fully integrated option is feasible only for a smaller network. Note Also note that if some of your PEPs do not include a RADIUS server, the built-in servers for the fully integrated option must be able to receive requests from them.
PAGE 199
Designing Access Controls Choose RADIUS Servers Delegating some responsibilities to edge components, as in the integrated server/proxy option, can also increase scalability. For example, when you add a Wireless Edge Services Module to accommodate wireless users, that module can add the capabilities of its built-in RADIUS server rather than simply increasing the burden on existing PDPs. Table 3-64 shows how these two factors typically balance out. Table 3-64.
PAGE 200
Designing Access Controls Choose RADIUS Servers Simply as an example, consider a network with fewer users. For this network environment, the network administrators would pose the second question: does the network require a directory service? If it does, the administrators can narrow their choices to these options: ■ General ■ Integrated server ■ Integrated server/proxy Considering questions 3 and 4, the network administrators weigh scalability and ease of management.
PAGE 201
Designing Access Controls Choose RADIUS Servers As you make your decision, take into consideration the design you have chosen for combining access control components. Clearly, some combinations do not work with some architectures. For example, you cannot both integrate all components on PEPs and fully centralize policies. Table 3-66 shows valid choices.
PAGE 202
Designing Access Controls Choose RADIUS Servers Table 3-67.
PAGE 203
Designing Access Controls Choose RADIUS Servers 2. Are you concerned with minimizing traffic on WAN links? (And is this concern more important than simplifying management? See step 1.) WAN links can be relatively slow and costly—both reasons to minimize traffic. The more distributed the architecture, the less access control traffic that must travel between sites.
PAGE 204
Designing Access Controls Choose RADIUS Servers This option balances reducing traffic with easing management. Table 3-69.
PAGE 205
Designing Access Controls Choose RADIUS Servers In addition, the same network administrators control the policies at all sites. Policies should be centralized, so network administrators consider using either the multi-site fully centralized option or the multi-site distributed AAA with centralized policies option.
PAGE 206
Designing Access Controls Choose RADIUS Servers The first step is estimating the number of logins your network (or site, if you are planning a multi-site distributed architecture) experiences in an average day. Next, you should consider how many logins the network experiences in the busiest minutes of the day. Of course, you cannot come up with exact numbers, but you can make educated guesses.
PAGE 207
Designing Access Controls Choose RADIUS Servers Figure 3-9.
PAGE 208
Designing Access Controls Choose RADIUS Servers The numbered decision points in the tree are discussed in the next few paragraphs. 1. Have you chosen an access control component combination with integrated servers? You must, of course, choose PEPs with that capability. Then answer these questions: a.
PAGE 209
Designing Access Controls Choose RADIUS Servers 4. Does your organization already use IAS for other functions? If you already use IAS, there is probably no strong reason to use a different server for RADIUS functions. But if your organization does not currently use IAS, the NAC 800 may be a better choice for your RADIUS needs. 5. Have you decided to enforce endpoint integrity with the 802.
PAGE 210
Designing Access Controls Choose RADIUS Servers NAC 800 as the RADIUS Server If you decide to use the NAC 800 as the RADIUS server, you must make these choices: 1. Will you use IDM to manage the NAC 800? ProCurve recommends that you always use IDM to manage a NAC 800 that enforces 802.1X quarantining.
PAGE 211
Designing Access Controls Choose RADIUS Servers Table 3-71. General Combination for the NAC 800 PEPs PDPs Policy Repository Credential Repository • Switch • AP • Wireless Edge Services Module NAC 800 IDM agent Directory service • Integrated server/proxy—At least some RADIUS servers are built into the PEPs. The built-in RADIUS servers proxy requests to one or more NAC 800s, which check credentials against a directory service and receive policies from their IDM agent. Table 3-72.
PAGE 212
Designing Access Controls Choose RADIUS Servers Table 3-74. Integrated Server/Proxy to Turnkey Combination for the NAC 800 PEPs with Built-in PDPs Proxy PDP with Policy/ Credential Repository • AP 530 • Wireless Edge Services Module NAC 800 managed by IDM and using its local database Choosing between these options is similar to choosing between them for traditional RADIUS servers (see “Choose Which Devices Will Play the Role of PDP” on page 3-79): a.
PAGE 213
Designing Access Controls Choose RADIUS Servers requires six NAC 800 ESs (preferably in at least two clusters) and one NAC 800 MS. In each cluster, only one or two NAC 800 ESs must act as RADIUS servers. The others ES can simply provide testing. 4. In a multi-site network, where will you place NAC 800s (at a central site or at each site)? The same access control architectures for RADIUS servers apply to NAC 800s. See “Choose an Access Control Architecture” on page 3-84.
PAGE 214
Designing Access Controls Add ProCurve IDM Add ProCurve IDM You have now selected your RADIUS servers. After choosing the EAP method (required only for the 802.1X access control method), you will be ready to finalize your security policies.
PAGE 215
Designing Access Controls Add ProCurve IDM IDM is also required for managing a NAC 800 that enforces endpoint integrity with 802.1X quarantining. The NAC 800 checks user credentials and tests endpoints’ integrity. IDM manages the policies for assigning endpoints to VLANs based on their integrity.
PAGE 216
Designing Access Controls Add ProCurve IDM Add Users Earlier, in “Choose Which Devices Will Play the Role of PDP” on page 3-79, you considered the location of your credential/policy repository. When you add IDM to the network, the credential repository remains where it is, usually in a directory. However, IDM now stores additional policies for users. In the next section, you’ll learn about setting up those policies in access policy groups.
PAGE 217
Designing Access Controls Select an EAP Method for 802.1X Select an EAP Method for 802.1X For those endpoints that use the 802.1X authentication method, support for EAP is required—on both the endpoints and the RADIUS servers that authenticate them. EAP provides a framework for a variety of authentication protocols, which are then called EAP methods. You must carefully consider which EAP methods are appropriate for your endpoints and your environment. (See Chapter 1: “Access Control Concepts.
PAGE 218
Designing Access Controls Select an EAP Method for 802.1X The numbered decision points in the tree are discussed in the next few paragraphs. As you read through these steps, remember: ■ You can select more than one EAP method to accommodate varying needs. (On the NAC 800, you do not select an EAP method. Instead, you select the EAP type on the endpoint, and during the negotiation of the EAP method, the NAC 800 detects the EAP type. If the NAC 800 supports the EAP type, it automatically uses it.
PAGE 219
Designing Access Controls Select an EAP Method for 802.1X Table 3-75 shows which EAP methods are supported by several 802.1X supplicants. You can check the documentation for your supplicants and devices and fill in your own rows in the table. Table 3-75. EAP Methods Supported by 802.1X Supplicants 802.
PAGE 220
Designing Access Controls Select an EAP Method for 802.1X If you want to authenticate ProCurve network devices, you can add EAPMD5. (All the ProCurve devices authenticate over a wired connection, so EAP-MD5 is a legitimate option.) For other supplicants, the choice between EAP-TTLS and PEAP is still open. Move to the next question. 3. Which RADIUS server are you using? Next, examine the capabilities of your RADIUS server. Table 3-76 shows the EAP methods supported by the servers discussed in this guide.
PAGE 221
Designing Access Controls Select an EAP Method for 802.1X 4. Are you using IDM and is the NAC 800 proxying requests to another RADIUS server? If not, the default access method should be EAP-TTLS. EAP-TTLS and PEAP are similar in terms of architecture and security, but EAP-TTLS allows a greater variety of authentication methods to be tunneled and thus provides greater flexibility. However, EAP-TTLS and some implementations of PEAP might conceal a user’s username.
PAGE 222
Designing Access Controls Finalize Security Policies Finalize Security Policies After you have made all of your preliminary decisions, you can draw up your policy decisions in the following table. Table 3-77. Final Security Policy by Zone Zone Access Control Method Authentication Protocol Wireless Encryption EI Deployment Method EI Testing Method EI Deployment Method EI Testing Method 802.1X NAC EI agent 802.
PAGE 223
Designing Access Controls Finalize Security Policies The sections below describe designing policies with IDM. Note You can also define policies by setting up RADIUS attributes manually on RADIUS servers or on directory services that support RADIUS extensions. Access Group Policies with IDM If you are using IDM to manage policies, you should create one access policy group for each different type of user you expect on your network (students, faculty, guests, and so forth).
PAGE 224
Designing Access Controls Finalize Security Policies Table 3-79. Access Profiles Access Profile Plan these rights for each access profile: ■ VLAN assignment—First, you should designate a VLAN for each access profile. You can fill in the VLANs for your network in Table 3-80. Table 3-80.
PAGE 225
Designing Access Controls Finalize Security Policies Table 3-81 shows access profiles and VLAN assignments at PCU. Each access policy group has an associated profile, and some groups have more than one profile. For example, a trusted user, such as the president who accesses the network through an unencrypted wireless connection, requires a different profile from that user on a wired or secure wireless connection. (This profile is called the unencrypted profile).
PAGE 226
Designing Access Controls Finalize Security Policies Often resources are an entire subnet of servers. For example, you can place all financial databases in VLAN 5 and then create a “Financial Databases” resource that allows all traffic to the subnet associated with that VLAN. You can list the server (resource) VLANs in your network in Table 3-82. If you need to create a more granular resource, such as a specific email server, fill in the information in Table 3-83. Table 3-82.
PAGE 227
Designing Access Controls Finalize Security Policies Table 3-84 and Table 3-85 show the resources that PCU’s network administrators define. Even though the NAC 800 falls within another defined resource, it is defined as a resource alone so that quarantined users can have access to the NAC 800 only. Table 3-84. PCU Resources by VLAN Resources VLAN ID Subnet Address Directory servers, DHCP servers, RADIUS servers, NAC 800s, and other servers used by the entire network 3 10.3.0.
PAGE 228
Designing Access Controls Finalize Security Policies Table 3-86. Resources Allowed in Access Profiles Access Profile Resources Table 3-89 shows the resources that the PCU administrator assigns to each user.
PAGE 229
Designing Access Controls Finalize Security Policies Table 3-87. Resources Allowed in PCU Access Profiles Access Profile Resource IT admin • Administration building file servers, printers, and fax machines • Web servers, white pages • Library card catalog • Internet President, etc.
PAGE 230
Designing Access Controls Finalize Security Policies Access Profile Resource Engineering students • • • • Faculty • Web servers, white pages • Library catalog and printer • Faculty file servers and classroom printers • Internet Engineering faculty • • • • Guest • Web servers, white pages • Internet Guest_afterhours Internet IP telephones IP telephony exchange Quarantine/Test • NAC 800 • Internet ■ Web servers, white pages Library catalog and printer Supercomputers Student file servers and d
PAGE 231
Designing Access Controls Finalize Security Policies Table 3-88. Resources Allowed in Access Profiles Access Profile VLAN ID Resources Rate Limit QoS Access Policy Group Rules. After you have created the access profiles, you can create access policy group rules, which match users in the group to the profile according to other inputs. 1.
PAGE 232
Designing Access Controls Finalize Security Policies 3. Quarantine—In a network with endpoint integrity, you must create a rule that matches the EI postures Quarantine or Infected with the quarantine access profile. (Typically, the other inputs should be “any” because you always want non-compliant endpoints quarantined.) You must also create a rule for the Unknown posture. Either match that posture to a test access profile or the quarantine access profile.
PAGE 233
Designing Access Controls Finalize Security Policies Access Policy Group Inputs Outputs—Access Profile Location Time System WLAN EI Accounting acct. office 8am - 6pm any any Pass Accounting Registrars reg.
PAGE 234
Designing Access Controls Finalize Security Policies Next, create each policy. The exact steps vary, of course, depending on your RADIUS server. In general, you must: 1. Set the conditions by which the RADIUS server matches an authentication request to the policy. The exact conditions supported depend on your RADIUS server, but they commonly include group membership (in a group defined on the RADIUS server or in a directory), time, and access method (such as wired, wireless, or remote).
PAGE 235
Designing Access Controls Finalize Security Policies Table 3-92. Authentication Protocols for My Policies Policy 1—Authentication Protocols 3. Policy 2—Authentication Protocols Define dynamic settings. In this step, you customize authenticated users’ access by manually defining values for various RADIUS attributes. For example, you might assign users to a particular VLAN. Some dynamic settings, such as ACLs, require you to set up vendor-specific attributes.
PAGE 236
Designing Access Controls Finalize Security Policies Note Some directories, such as eDirectory, allow you to extend the schema with RADIUS attributes. You can then assign dynamic settings directly to a user or group object rather than through a RADIUS server policy. See your LDAP server’s documentation to determine whether or not it supports this option. Create the NAC Policies You have already learned how to quarantine non-compliant endpoints. Now you need to consider how you will define non-compliance.
PAGE 237
Designing Access Controls Finalize Security Policies ■ Workgroups—Set the appropriate NetBios names in each policy in the group. ■ User groups (or any other criteria used by IDM)—IDM gives you the opportunity to apply different NAC policies according to any criteria used by IDM to differentiate network access. You simply create rules that place endpoints to be tested in different VLANs. For example, follow these steps to apply different policies to different user groups: a.
PAGE 238
Designing Access Controls Finalize Security Policies You might select tests such as these for a policy intended to test guest endpoints before letting them use your network to access the Internet. You eliminate the most common threats from unknown equipment without frustrating guests with policies they cannot meet. 1. Does your policy mandate that endpoints be free of viruses, worms, and other malware? Check the cell for that test. 2.
PAGE 239
Designing Access Controls Finalize Security Policies 1. Does your organization require anti-virus software? In Table 3-96, fill in the anti-virus software solutions that meet your requirements. The NAC 800 allows you to choose multiple solutions; as long as an endpoint has one, it passes the test. 2. Does your organization require anti-spyware? Fill in the solutions that meet your requirements. 3.
PAGE 240
Designing Access Controls Finalize Security Policies “Customer Needs Assessment,” meet with users and consider their input when formulating the policy. Also test policies before enforcing quarantining. (See the ProCurve Access Control Implementation Guide.) Due to the high level of control exerted by these tests, these tests are most appropriate for checking endpoints in private zones. It is a rare security policy that requires all of the tests in this section.
PAGE 241
Designing Access Controls Finalize Security Policies Table 3-98. Macro Security Tests Security setting Microsoft Excel Microsoft Outlook Microsoft Word High Low High Low High Low Medium 5. Medium Medium Does your organization prohibit peer-to-peer (P2P) applications such as file-sharing or instant messaging applications? When you activate the P2P test, it prohibits all P2P applications. But you can then choose specific ones to allow in your network.
PAGE 242
Designing Access Controls Finalize Security Policies Table 3-100. Windows Automatic Updates Options Your selection • Download and install automatically • Download automatically but notify before installing • Notify before downloading and installing 11. Does your organization prohibit certain software applications? Does it require certain applications? The NAC 800 can scan for Windows applications.
PAGE 243
Designing Access Controls Finalize Security Policies Other services might be required in your system. You might want to check for those services but not quarantine endpoints that do not have them. You must specify Windows services with the exact names that are displayed in Control Panel > Administrative Tools > Services. If you enable the Mac services test, only the services that you select from a list are allowed (others are prohibited). Record the services that you want to allow in Table 3-102.
PAGE 244
Designing Access Controls Finalize Security Policies If so, you can activate the Windows Startup Registry Entries Allowed test. Viruses, worms, and spyware often lurk in the “run” and “runOnce” keys of the Windows registry (which dictate which applications run at startup). You can create a list of valid entries for these keys.
PAGE 245
Designing Access Controls Lay Out the Network Table 3-105. Test for Windows Startup Registry Entries Applications and Services Allowed to Run at Keys for Allowed Applications and Services Startup Lay Out the Network You are now ready to lay out the network and implement your policies. This section guides you through deploying the components of your network access control solution.
PAGE 246
Designing Access Controls Lay Out the Network Start your network core design with central network resources—your network’s servers, which might include: ■ Directory servers (Active Directory, eDirectory, or Lightweight Directory Access Protocol [LDAP] servers) that can serve as the credential/policy repositories ■ RADIUS servers (the PDPs) Note As you learned in “Choose Which Devices Will Play the Role of PDP” on page 3-79, your RADIUS servers might be instead built into edge devices.
PAGE 247
Designing Access Controls Lay Out the Network Figure 3-11. Adding Switches and VLANs to the Core Resources Note that all connections in the network core are wired connections, for reasons of speed and capacity. A minimum data rate of 1 Gbps is recommended for all connections in the core. Access Zones for Endpoints The sections below summarize typical deployments for the five basic types of access zones. Again, the access control design is emphasized over the physical design.
PAGE 248
Designing Access Controls Lay Out the Network Access Control Method. For truly public environments, 802.1X is generally not used because each computer must run 802.1X supplicant software. Providing and administering supplicant software for guest users is cumbersome and expensive enough to make MAC-Auth or Web-Auth the generally recommended access control method. Workstations that belong to the organization can authenticate with either the Web-Auth or MAC-Auth method.
PAGE 249
Designing Access Controls Lay Out the Network Remember, in either case, you can allow unauthenticated users to be placed on an unauthenticated VLAN. Endpoint Integrity. Particularly when you allow members of the public to connect their own equipment to your network, you should implement endpoint integrity. The most suitable deployment method is usually DHCP, and the most suitable testing method is ActiveX (because ActiveX testing does not require any installation of software or entering of credentials).
PAGE 250
Designing Access Controls Lay Out the Network Switch Series MAC-Auth Web-Auth 802.1X Dynamic VLAN Assignment 3400cl X X X X 2900 X X X X 2810 X X X X 2800 X X X X 2600 X X X X X X X X 2510 2500 local only Dynamic ACLs 1800 1700 Public Wireless Zone The public wireless zone is a wireless environment intended for endpoints, typically laptop computers and PDAs, that belong to guests, customers, or possibly contractors.
PAGE 251
Designing Access Controls Lay Out the Network correct EAP type. You should balance the greater security with the increased number of calls the IT staff may need to field. If guests are only accessing the Internet, 802.1X is probably unnecessary. MAC-Auth is often unfeasible for a public wireless zone for two reasons: ■ This zone usually consists of a changing pool of endpoints, often controlled by outsiders. Tracking the MAC addresses may be difficult or impossible.
PAGE 252
Designing Access Controls Lay Out the Network Choose the 802.1X deployment method if you use that access control method. Otherwise, DHCP is the typical method. You could also use the inline method if the public wireless zone connects to the rest of the network at a single choke point. VLAN Assignment and Other Dynamic Settings.
PAGE 253
Designing Access Controls Lay Out the Network You should also verify that your wireless PEPs support your chosen access control and encryption methods. All ProCurve wireless devices support all encryption options, and the Wireless Edge Services Module supports all three access control methods. As you can see in Table 3-110, the AP 420 and AP 530 do not support Web-Auth, so this access control method must be implemented at the switch port. For full details on each product, visit http://www.hp.
PAGE 254
Designing Access Controls Lay Out the Network The RPs require a Power over Ethernet (PoE) source but can connect to any location in the network. (PoE sends power over the same Ethernet cable on which data is transmitted.) To ensure that RPs are adopted by the module, you must either extend the Radio Port VLAN between the module and the RP or set up Layer 3 adoption. (See the ProCurve Access Control Implementation Guide.
PAGE 255
Designing Access Controls Lay Out the Network ProCurve Product Maximum Power on a Port Maximum Ports 3500yl-48G 15.4 W • 30—AP 420s • 31—AP 530s • 48—Any RPs 5406zl 15.
PAGE 256
Designing Access Controls Lay Out the Network The switch to which APs or RPs connect needs the capacity to handle the traffic. A wireless radio has a maximum data rate of 54 Mbps (and an actual data rate of about 32 Mbps maximum), so a 100-Mbps switch port can easily serve an AP or RP with one or two radios.
PAGE 257
Designing Access Controls Lay Out the Network The NAC policies you enforce in the wired private zone might be more stringent than those in public zones. Users in the private zone typically have greater access to network resources, so you have more to protect in this zone. The NAC policies also provide opportunities to enforce company policies that might otherwise be ignored. For the endpoint integrity testing method, either the NAC EI agent or the agentless method is suitable.
PAGE 258
Designing Access Controls Lay Out the Network Table 3-114. Network Access Control Capabilities of ProCurve Edge Switches Switch Series MAC-Auth Web-Auth 802.
PAGE 259
Designing Access Controls Lay Out the Network Access Control Method. Although it is a wireless zone, the private wireless zone, due to its private nature (and concomitant level of IT control), is well suited to 802.1X authentication. Encryption. In a wireless network, 802.1X authentication helps to generate secure encryption keys. Generally, there is no reason that you cannot choose strong WPA/WPA2 encryption (TKIP or AES or both) because most wireless NICs support this option. Endpoint Integrity.
PAGE 260
Designing Access Controls Lay Out the Network VPN Protocol and Encryption Algorithms. The VPN protocol is responsible for establishing secure tunnels between remote users and a device (typically a VPN gateway) in the private network. You can choose from several VPN protocols. The most common include PPTP, IPsec with IKE, and L2TP/ IPsec with IKE. The two that use IPsec are the more secure protocols.
PAGE 261
Designing Access Controls Lay Out the Network (However, even some homes feature simple LANs.) If the remote endpoint does have a NATed IP address, the VPN gateway must support NAT Traversal (NAT-T); otherwise, the VPN connection fails. The Secure Router 7000dl supports NAT-T in addition to the VPN capabilities listed in Table 3-116. Table 3-116.
PAGE 262
Designing Access Controls Lay Out the Network Table 3-117. VPN Capabilities of the ProCurve VPN Client VPN Protocol Authentication Methods Encryption and Hash Algorithms • IPsec with IKE • L2TP/IPsec • Preshared key • Hash: • Digital – HMAC-MD5 certificates—Certif – HMAC-SHA1 icate Manager and – DES-MAC SCEP included • Encryption: – DES – 3DES – AES Support for NAT-T Support for Xauth Yes Yes Combining Access Control Zone Designs Network topology does not always match network geography.
PAGE 263
Designing Access Controls Lay Out the Network For example, in your private offices (a private wired zone), some employees might bring along their laptops when meeting with colleagues and connect to the network wirelessly (private wireless zone). In such cases, you have a private wireless zone overlaid on a private wired zone. Both segments occupy the same physical space, even though they operate differently.
PAGE 264
Designing Access Controls Integrating all Parts of the Network Design Integrating all Parts of the Network Design After you have laid out the various segments in your network, you can optimize your design by integrating the segments into a unified whole. Adding Access Control to an Existing Network To guide you through all the steps of designing an access control solution, this guide discussed the design as if you didn’t have an existing network and existing equipment.
PAGE 265
Designing Access Controls Integrating all Parts of the Network Design Migrating from One Solution to Another Although 802.1X authentication provides the strongest access control security, you may not start with that access control method. (See “Choose the Access Control Methods” on page 3-13.) If you start with MAC-Auth or WebAuth, you may migrate toward 802.1X in the future, as both computers and users become more sophisticated about access control.
PAGE 266
Designing Access Controls Integrating all Parts of the Network Design 3-150
PAGE 267
4 Other Resources Services and Support This guide has taken you through the process of designing an access control security solution. However, no guide, no matter how comprehensive, can predict your environment exactly. ProCurve Networking provides several personalized services to further help you design a solution.
PAGE 268
Other Resources Implementation Implementation The ProCurve Access Control Implementation Guide provides detailed information on how to create a network access control solution that meets the needs of a particular environment.
PAGE 269
Other Resources Implementation Table 4-1. Elements of Each Access Control Solution Elements Solution 1 Solution 2 Solution 3 Solution 4 Solution 5 Access control method 802.1X 802.1X 802.1X 802.1X Web-Auth MAC-Auth none Deployment method 802.1X 802.1X inline for remote 802.1X users (added to 802.
PAGE 270
Other Resources Implementation 4-4
PAGE 271
A Appendix A: Glossary Numeric 3DES A version of DES, also called “Triple DES” (TDES), in which three encryption phases are applied. For more information, see NIST Special Publication 80067 at http://csrc.nist.gov/publications/nistpubs/800-67/SP800-67.pdf. 802.1 The standard for managing LANs and MANs. It is concerned with network architecture, bridging, management, link security, and protocol layers above the MAC and LLC layers. For more information, see IEEE 802.1 at http:// www.ieee802.org/1/. 802.
PAGE 272
Appendix A: Glossary 802.1X The deployment method that corresponds to the 802.1X quarantine method. In this deployment method, the NAC 800 is connected to a switch via both its Ethernet ports. Port 1 method receives authentication requests, and port 2 receives mirrored DHCP traffic. See also DHCP deployment method and inline deployment method. 802.1X quarantine One of the NAC 800’s three methods for quarantining endpoints that fail to method comply with the NAC policy.
PAGE 273
Appendix A: Glossary access grace The period of time between an endpoint failing a test and the endpoint being period quarantined. The network administrator sets the access grace period for a particular test when configuring the test failure actions for that test in a NAC policy. access method The way in which an endpoint connects to the network. Options include VPN, dial-up, wireless, or Ethernet.
PAGE 274
Appendix A: Glossary ActiveX test An endpoint integrity-testing method that relies on the ActiveX control operamethod tion of signed and safe controls. The NAC 800 uses ActiveX to download a temporary agent to the endpoint. All versions of the Windows operating system are supported, and no ports on an endpoint’s personal Windows firewall need to be opened. As long as the firewall allows Internet Explorer access and the Internet Explorer settings allow ActiveX, the endpoint can be tested.
PAGE 275
Appendix A: Glossary enabled on the endpoint, that ports 137, 138, 139, and 445 be open on the endpoint’s firewall, that the endpoint’s browser security settings allow Java scripting, and that administrator credentials be known for the endpoint. AH Authentication Header. A part of the IPsec protocol suite that guarantees connectionless integrity and data origin authentication of IP datagrams. See also ESP. AP Access Point.
PAGE 276
Appendix A: Glossary authorization A device that makes authorization decisions that are enforced by other infraserver structure devices. AVP Attribute-Value Pairs. A data structure that is expressed in terms of an attribute name and an assigned value. B back door A disguised or hidden entry point in a software program or system that allows end-users to circumvent normal authentication or controls. An open back door can be intentional (for maintenance use) or unintentional.
PAGE 277
Appendix A: Glossary certificate An electronic document that contains a public key and is digitally signed by a third-party issuer such as a CA. Digital certificates are used for network authentication. They contain the certificate holder’s name or other identifying information, a serial number, the expiration date, and a copy of the certificate holder’s public key, which validates data signed by the corresponding private key. certificate See CA. authority Challenge See CHAP.
PAGE 278
Appendix A: Glossary DES Data Encryption Standard. A published encryption algorithm that uses a 56bit symmetric key to encrypt data in 64-bit blocks. IPSec, the industry standard for VPNs, supports 3DES. For more information, see FIPS PUB 46-3 at http:// csrc.nist.gov/publications/fips/fips46-3/fips46-3.pdf. DHCP Dynamic Host Configuration Protocol. A protocol that allows network administrators to set up a server to manage IP addresses, automatically assigning IP addresses to devices on the network.
PAGE 279
Appendix A: Glossary E EAP Extensible Authentication Protocol. A protocol that allows PPP to use authentication protocols that are not part of the PPP suite. For more information, see RFC 3748 at http://www.ietf.org/rfc/rfc3748.txt. See also CHAP and PAP EAPOL EAP over LAN. An encapsulation method for transmitting EAP over local area networks that is used by 802.1X. EAP-GTC EAP with Generic Token Card. An implementation of EAP that uses a token card for authentication.
PAGE 280
Appendix A: Glossary enforcement A logical group of one or more ESs that are controlled by an MS. Each cluster cluster can support only one deployment method, but an MS can control multiple ESs, each supporting a different deployment method. enforcement See ES. server ES Enforcement Server. In a multiple-NAC 800 installation, the ES applies the NAC policies that are defined on the MS and enforces quarantining. ESP Encapsulating Security Protocol.
PAGE 281
Appendix A: Glossary H hash A number generated by running a string of text through an algorithm. The hash is substantially smaller than the text itself and is unique, because algorithms transform data in such a way that it is extremely unlikely that some other text will produce the same hash value. The hash is also irreversible: the encryption cannot be reversed to obtain the original text. HMAC keyed-Hash MAC. A type of MAC that is calculated with a hash function and a secret key.
PAGE 282
Appendix A: Glossary integrity posture The state of an endpoint in terms of its compliance with NAC policies. The integrity posture is used to determine an endpoint’s access control state along with other factors such as an exception, access grace period, and access mode. See Appendix C, “Integrity Postures.” IPsec Internet Protocol security. A suite of protocols that are used to establish a VPN tunnel between devices that communicate over the Internet, thereby protecting their data.
PAGE 283
Appendix A: Glossary lightweight See LDAP. directory access protocol load balancing Distribution of integrity checking among two or more devices. The NAC 800 distributes the testing of endpoints across all ESs in a cluster. The NAC 800 uses a hashing algorithm based on MAC or IP addresses to distribute the endpoints between the ESs. M MAC-Auth MAC Authentication. Authentication that is based on the endpoint’s MAC address rather than on the user’s credentials.
PAGE 284
Appendix A: Glossary MS Management Server. When using a NAC 800 in a multiple-server installation, the server that is used for managing and controlling the ESs. MS-CHAP Microsoft CHAP. The Microsoft implementation of CHAP. For more information, see RFC 2759 at http://tools.ietf.org/html/rfc2759. N NAC Network Access Controller. The generic term for any device that controls network access, particularly based on compliance with network policies (endpoint integrity).
PAGE 285
Appendix A: Glossary NAT-T NAT-Traversal. An IKE method for UDP encapsulation of ESP packets so that they pass better through firewalls. For more information, see RFC 3947 at http://tools.ietf.org/html/rfc3947 and RFC 3948 at http://tools.ietf.org/html/ rfc3948.
PAGE 286
Appendix A: Glossary PAP Password Authentication Protocol. A protocol used to authenticate a client to a remote server or an Internet service provider. PAP transmits usernames and passwords in unencrypted plaintext, making it insecure. For more information, see RFC 1334 at http://www.ietf.org/rfc/rfc1334.txt. PCM ProCurve Manager. ProCurve’s SNMP solution. PDA Personal Digital Assistant. A hand-held computing device that can run applications or store data.
PAGE 287
Appendix A: Glossary policy repository A data store such as a directory server, a flat file, or a database that contains a network’s security policies. The PDP draws on the policies in the repository to make its authentication decisions. post-connect NAC tests that are run on endpoints after they have already connected successtesting fully to the network. The network administrator configures the length of the retest frequency.
PAGE 288
Appendix A: Glossary Q quarantine The isolation of endpoints or systems to prevent potential infection of other endpoints or systems. The NAC 800 determines whether to quarantine an endpoint by applying the following policies in this order: access mode, temporarily quarantine/grant access setting, exceptions, NAC policies (the results of tests in the policy). quarantine all An access mode that mandates that all endpoints be quarantined regardless of test results.
PAGE 289
Appendix A: Glossary RC4 Rivest Cipher 4. A widely used stream cipher that is used by SSL and WEP. Also called “arcfour.” RC4 is not recommended for use by new systems because it is not very strong cryptographically. For more information, see the Internet Draft at http://www.mozilla.org/projects/security/pki/nss/draftkaukonen-cipher-arcfour-03.txt. remediation The process by which a non-compliant endpoint is made compliant.
PAGE 290
Appendix A: Glossary S SA Security Association. Secure communication between two network devices that is created from shared security information. A SA is used in IKE. For more information, see RFC 4306 at http://tools.ietf.org/html/rfc4306. SHA-1 Secure Hash Algorithm One. One of five cryptographic hash functions that were designated by the National Security Agency. SHA-1 is used in TLS, SSL, and IPsec and is considered to be a successor to MD5. For more information, see RFC 3174 at http://tools.ietf.
PAGE 291
Appendix A: Glossary Steel-Belted An implementation of RADIUS developed by Funk Software then later purRadius chased by Juniper Networks. For more information, see Juniper Networks at http://www.juniper.net. STP Spanning Tree Protocol. A protocol that eliminates network loops by deactivating redundant connections. It is currently being revised into RSTP, which is a faster version of STP. For more information, see IEEE 802.1D at http://www.ieee802.org/1/pages/802.1D-2003.html.
PAGE 292
Appendix A: Glossary TLS Transport Layer Security. The successor to SSL. It prevents eavesdropping on communications between Internet client and server. For more information, see RFC 2240 at http://www.ietf.org/rfc/rfc2246.txt. transient agent An agent that is installed on the endpoint for a short time only at the beginning of each test. The ActiveX test method uses a transient agent. Trojan A malicious program disguised as or embedded within legitimate software.
PAGE 293
Appendix A: Glossary V virus A computer program that can copy itself and damage a computer system. A virus cannot self-propagate as a worm can but is spread via infected removable media (floppy disks, zip drives, USB drives) or by sending it over a network.
PAGE 294
Appendix A: Glossary WEP Wired Equivalent Privacy. A protocol that is part of the IEEE 802.11 suite of protocols for wireless LANs. Its purpose is to provide security equivalent to an unsecured wired LAN. It has been superseded by WPA and IEEE 802.11i. For more information, see IEEE 802.11 at http://standards.ieee.org/getieee802/ 802.11.html. Windows The desktop and server operating system developed by Microsoft.
PAGE 295
Appendix A: Glossary X Xauth eXtended authentication. An IKE extension that permits the use of legacy protocols such as RADIUS, SecurID, and OTP. For more information, see the Internet Draft at http://www.vpnc.org/ietf-xauth/draft-beaulieu-ike-xauth02.txt. Xsupplicant An 802.1X supplicant developed by the Open1X project that runs on Linux platforms that permits authentication to a RADUIS server and use of the EAP protocols. For more information, see http://open1x.sourceforge.net.
PAGE 296
Appendix A: Glossary A-26
PAGE 297
Index Numerics 802.11 … 1-30 802.11i … 1-32 802.1X advantages of … 3-13 authentication … 1-21 disadvantages of … 3-13 EAP method, selecting … 3-101 endpoint integrity and … 3-51 quarantine method … 1-42, 1-54, 3-93 supplicant … 1-21, 1-23, 3-20 802.1X deployment method … 1-46, 3-51 802.
PAGE 298
agents NAC EI … 1-41 permanent … 1-38, 1-40 SNMP … 1-41 transient … 1-39, 1-41 AH … 3-39 allow list … 1-20 applications testing for compliance … 3-126 APs selecting for access control … 3-136, 3-143 supplicants … 2-27 assessment control over network … 2-39 endpoint integrity … 2-34 IT workload … 2-40 network size … 2-25 risk tolerance … 2-18 user cooperation … 2-40 vulnerability … 2-21 viruses and worms … 2-23 attack types external … 2-19 internal … 2-19 malware … 2-20 wireless … 2-38 zero-day … 2-23 attack
PAGE 299
E F EAP … 1-21, 1-25, 1-53 EAPGTC … 1-53 MD5 … 1-26 SIM … 1-17, 1-27 TLS … 1-26, 1-53 TTLS … 1-26 MD5 … 1-53 EAP message … 1-54 EAP method 802.
PAGE 300
inline deployment method … 1-51 quarantining … 1-43, 1-52 selecting … 3-51 integrity posture See endpoint integrity International Mobile Subscriber Identity See IMSI Internet Authentication Service See IAS IPsec … 3-38 J Juniper Steel-Belted RADIUS … 1-13 K Ki … 1-27 L L2TP … 3-38 Lightweight EAP (LEAP) … 1-26, 1-53 M Mac testing endpoints … 3-127 MAC-Auth … 1-16 advantages of … 3-13 AP implements … 1-31 AP support for … 2-27 disadvantages of … 3-13 endpoint integrity and … 3-52 process … 1-17 process i
PAGE 301
O operating systems … 2-28, 2-37 WMI support … 1-41 OS-X security settings … 2-37 P password authentication protocol (PAP) … 1-24 Payment Card Industry Data Security Standard (PCI DSS) … 2-17 PCM+ … 1-59 required for IDM … 3-99 PDP 802.1X process … 1-21 access control architecture … 3-84 defined … 1-12 MAC-Auth process … 1-17 NAC 800 as … 1-53 network access control process … 1-15 selecting … 3-79 Web-Auth process … 1-19 PEAP … 1-27, 1-53 PEP … 1-46 802.1X process … 1-21 802.
PAGE 302
R radio ports See RPs RADIUS … 1-6 RADIUS servers … 1-13, 1-46, 2-31 attribute-value pairs … 1-28 centralizing policies … 3-85 component combinations … 3-79 decision tree … 3-91 EAP method … 3-104 eliminating inter-site traffic … 3-87 endpoint integrity … 1-43 IAS … 1-13, 3-93 Juniper Steel-Belted … 1-13 messages … 1-28 NAC 800 … 1-13, 1-52, 3-94 no endpoint integrity … 3-79 number of, needed … 3-89 performance … 3-89 reducing inter-site traffic … 3-88 redundancy … 3-89 selecting … 3-78, 3-90 vendor-specifi
PAGE 303
T U TACACS+ … 1-6 telephones … 2-30 testing access control … 1-37 administrative control as a factor … 3-69 administrative workload as a factor … 3-74 agentless … 1-40, 1-41 endpoint … 1-42 medium endpoint integrity … 3-123 minimal endpoint integrity … 3-122 network overhead … 3-75 post-connect … 1-37, 3-71 pre-connect … 1-37 requirements ActiveX … 3-62 agentless … 3-64 NAC EI agent … 3-61 rigorous endpoint integrity … 3-123 See also testing methods selecting … 3-124 selection factors for methods … 3-69 t
PAGE 304
WEP … 1-31 dynamic … 1-31, 3-18 static … 3-18 Windows security settings … 2-37 software tests … 2-38 testing for automatic updates … 3-126 wired equivalent privacy See WEP Wireless Edge Services Module as a PEP … 1-11 RP controller … 1-44 selecting … 3-143 8 – Index wireless LAN (WLAN) … 1-44 encryption methods for … 3-17 worms … 2-22 WPA/WPA2 … 1-32, 2-26, 3-18 WPA-PSK … 1-44 X Xsupplicant … 1-23 Z zero-day attack … 2-23
PAGE 305
A Addendum to the ProCurve Access Control Security Design Guide Contents Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-3 ProCurve Access Control Solution 2.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-4 Enhancements to the ProCurve Access Control Solution 2.1 . . . . . . . A-5 ProCurve NAC 1.1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-6 SMB Signing . . . . . . . . . . . .
PAGE 306
Addendum to the ProCurve Access Control Security Design Guide Contents Network Access Methods . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17 IPsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-17 DHCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-20 VPN Access . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-21 802.
PAGE 307
Addendum to the ProCurve Access Control Security Design Guide Overview Overview Designing an access control solution is an ongoing process, which must be changed over time to protect corporate networks against emerging threats. This process must also be re-evaluated as existing products are enhanced with new features and new products are brought to market.
PAGE 308
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 ProCurve Access Control Solution 2.1 The ProCurve Access Control Solution 2.1 provides adaptive edge control with endpoint integrity.
PAGE 309
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 • Endpoint integrity checking—The ProCurve NAC 800 checks each endpoint that requests access to the network and ensures that it meets your company’s security policies. Noncompliant endpoints are placed in a quarantine subnetwork, whereas compliant endpoints receive the settings you have configured for that device or for the authorized user accessing the network through that device.
PAGE 310
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 ProCurve NAC 1.1 The 1.
PAGE 311
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 Post-Connect NAC Testing Post-connect checking is a key component of a true endpoint integrity solution. Without it, users quickly learn that they can circumvent your security settings—for example, raising their browser security settings, connecting to the network, and immediately lowering the settings again. The NAC 800 has always supported post-connect checking by the NAC 800 itself.
PAGE 312
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 provides a third option: You can install RDAC on the Windows DHCP server, and as long as the server can relay DHCP information to the NAC 800, you can place it anywhere on the network. RDAC is also used for the new DHCP plug-in deployment. DHCP Plug-in Deployment Previously, the NAC 800 supported a DHCP inline deployment.
PAGE 313
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 Figure A-2. DHCP Plug-in Deployment—Single NAC 800 and Multiple DHCP Servers You must then configure the DHCP plug-in and RDAC as described in the Addendum to ProCurve Access Control Security Solution Implementation Guide. The DHCP plug-in gives you greater flexibility in using the NAC 800 for a DHCP deployment. Identity Driven Manager 2.
PAGE 314
Addendum to the ProCurve Access Control Security Design Guide ProCurve Access Control Solution 2.1 connection is set up as defined in the IDM access policies. For example, if you have defined a user’s access policies to include a dynamic VLAN ID, quality of service (QoS) settings, bandwidth settings, and an access control lists (ACL), IDM sends this information to the RADIUS server so that it can include the information in its authentication reply.
PAGE 315
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Microsoft NAP As mentioned earlier, the ProCurve Access Control Solution 2.1 integrates with the Network Access Protection (NAP) platform architecture, which is included with Windows Server 2008. The client component—the NAP agent— is included in Windows Vista and Windows XP Service Pack 3 (SP3).
PAGE 316
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Figure A-3. NAP Architecture The components of the NAP platform consist of conventional network resources and NAP-specific components: ■ NAP client The NAP client is a NAP-capable endpoint. The necessary components, which are described later, are included with Windows Vista and Windows XP (SP3). ■ NAP enforcement point A NAP enforcement point can be a DHCP server; a VPN server; an IEEE 802.
PAGE 317
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP ■ NAP health policy server (NPS) The NPS runs on Windows Server 2008 and has the same function as a RADIUS or IAS server. (NPS replaces IAS in Windows Server 2008.) It contains all of the network security policies and health state information. ■ Health requirement servers A health requirement server provides antivirus signature files, software updates and patches, and other health state information to the NPS.
PAGE 318
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP NAP Client Architecture The NAP-capable endpoint includes several components, described in the sections below. NAP Enforcement Clients (ECs) There is one EC for each network access method. The NAP client ships with the following ECs: ■ IPsec NAP EC—IPsec-protected communications ■ EAPHost NAP EC—802.
PAGE 319
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Figure A-4. Client-Side NAP Architecture NAP Server Architecture The NAP server architecture is in some ways analogous to an AAA architecture. An enforcement point controls endpoints’ network access according to instructions from a policy server—here, the NPS. The NPS, in turn, makes decisions based on its own policies and information stored in repositories. The components of the architecture are described in the sections below.
PAGE 320
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP NAP Enforcement Point In AAA, a PEP provides network access to an endpoint and enforces a PDP’s decisions. Similarly, a NAP enforcement point stands between an endpoint and access to the network.
PAGE 321
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP If the values are the same, the NPS declares the endpoint compliant and grants it access to the network. If the values are different, the NPS orders the NAP enforcement point to either confine the endpoint to the restricted network or to give the endpoint limited access until it is compliant. The NPS also issues the NAP client instructions on how the endpoint can become compliant.
PAGE 322
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Figure A-5. IPsec-Protected and Unprotected Communications A device can belong to only one network at a given time: ■ Secure Network—Contains all NAP clients that have health certificates and that require incoming communications to be authenticated via IPsec, using a health certificate.
PAGE 323
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Figure A-6. HRA Network Access 1. The NAP client connects to the HRA over HTTP or HTTPS, sends a SSoH, and requests a certificate. 2. The HRA sends the client’s SSoH to the NPS over RADIUS. 3. The NPS performs a system health validation and sends its verdict to the HRA. If the client’s SSoH is not up to requirements, the NPS denies permission to the endpoint and sends remediation instructions through the HRA.
PAGE 324
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP DHCP The DHCP method requires that DHCP be run on a Windows Server 2008 and also requires Active Directory domain services. Figure A-7 shows the network access method with DHCP. Figure A-7. DHCP Network Access A-20 1. The NAP client (using the DHCP NAP EC) sends its SSoH to a DHCP server, using DHCP protocols. 2. The DHCP server sends the client’s SSoH to the NPS, using RADIUS messages. 3.
PAGE 325
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP VPN Access The VPN server must run on a Windows Server 2008 and Active Directory domain service is required. Figure A-8 shows the VPN network access method. Figure A-8. VPN Network Access 1. The NAP client (using the VPN NAP EP) sends its SSoH to the VPN server using PEAP over PPP. 2. The VPN server sends the client’s SSoH to the NPS. 3. The NPS performs a system health validation and sends its verdict to the VPN server. 4.
PAGE 326
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Figure A-9. IEEE 802.1X Network Access 1. The NAP client (using the EAPHost NAP EC) sends its SSoH to an 802.1X authenticator using PEAP over EAPOL. As you already learned in this chapter, the 802.1X authenticator is an access point such as a switch or wireless AP. A-22 2. The authenticator sends the endpoint’s SSoH to the NPS using PEAP over RADIUS. 3.
PAGE 327
Addendum to the ProCurve Access Control Security Design Guide Microsoft NAP Remediation and Health Requirement Servers While a compliant endpoint is connected to the network, the NAP Agent periodically queries the remediation servers to see if updates on software patches or antivirus signatures are available. If they are, the agent downloads them. Figure A-10.
PAGE 328
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process Updating the Access Control Design Process With the new features provided by the ProCurve Access Control Solution 2.1, the process of designing access control security must be updated. First, a new step must be added. After you choose an access control method and make decisions about remote access (virtual private network, or VPN), you must select the endpoint integrity solution.
PAGE 329
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process Choose the Endpoint Integrity Solution The ProCurve Access Control Solution supports two options for endpoint integrity (that is, controlling network access based on an endpoint’s compliance with security policies): ■ ProCurve NAC 800—a security appliance ■ Microsoft Network Access Protection (NAP)—a framework distributed across several servers running Windows Server 2008 With both options, the devi
PAGE 330
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process Finally, note that—even when your endpoints run Windows OS—they may use third-party security software. NAP tests primarily for Microsoft solutions while the NAC 800 tests for a wide variety of third-party antivirus software, firewalls, and other security solutions. Table A-3.
PAGE 331
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process ■ The NAC 800 checks endpoints for a variety of third-party firewalls and antivirus software. If your company requires any of these benefits, you should consider using the NAC 800 over NAP. However, the NAP provides its own security benefits. For example, with the IPsec deployment option, all traffic sent between endpoints in the protected network is authenticated with certificates. Table A-4.
PAGE 332
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process several components on the NPS and policy enforcement points. Because the NAP solution tends to be more distributed, it may require more management resources to maintain. For either solution, IDM increases manageability. In the graphical interface of IDM, you easily set up access controls based on endpoint integrity. IDM also enhances NPS by dynamically managing the access rights on a per-session basis.
PAGE 333
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process Table A-5. Options for Endpoint Integrity Solution by Interoperability Requirements Interoperability Requirements Option Legacy and future products NAC 800 Windows 2008 services only NAP Examples. NAP is for companies that want the complete NAP solution. PCU is not ready to complete an extensive upgrade. It selects the NAC 800. ProCurve, Inc.
PAGE 334
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process Table A-7. Preliminary Decisions for the Endpoint Integrity Deployment Method Factor Weight Selection Existing network infrastructure NAC 800 Vulnerability to risks and risk tolerance NAC 800 Management resources NAC 800 Interoperability requirements NAC 800 Total NAC 800 For PCU, the NAC 800 (managed by IDM) is the better choice. Table A-8.
PAGE 335
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process As explained in Chapter 3: “Designing Access Controls” of the ProCurve Access Control Security Solution Design Guide, the NAC 800 can be deployed in three ways, which correspond with the quarantine method: ■ 802.
PAGE 336
Addendum to the ProCurve Access Control Security Design Guide Updating the Access Control Design Process A-32
PAGE 337
PAGE 338
Technical information in this document is subject to change without notice. © Copyright 2008 Hewlett-Packard Development Company, L.P. Reproduction, adaptation, or translation without prior written permission is prohibited except as allowed under the copyright laws.