Security Solutions
3-24
Designing Access Controls
Choose the Access Control Methods
Table 3-7. Access Control Method by User Type and Sophistication
Administrative Workload
Do network administrators have the time and resources to implement the
access control method?
Unless your IT department is in the unusual situation of having too many
people and not enough work, the access control method you select should not
require excessive administrator involvement. For example, if you were to use
MAC-Auth for a zone that includes hundreds of devices, it would present an
enormous challenge because you would have to collect numerous MAC
addresses.
Sometimes, however, you must weigh the administrative burden against your
company’s need for security. For example, universities must accommodate a
new group of students each semester. If you use 802.1X security, you must
update the user accounts each semester. This may create administrative
overhead, although network administrators undoubtedly automate the pro-
cess as much as possible. (“Choose RADIUS Servers” on page 3-78 explains
how RADIUS servers can integrate with directories.) However, the university’s
low risk tolerance and the danger of knowledgeable users with ample time to
breach lax security outweigh the administrative burden. That is, most univer-
sities can’t afford to implement a less-secure access control method.
Although you may be willing to incur some administrative overhead in imple-
menting access control, you should also look for ways to limit the resources
needed. For example, if you are using Web-Auth for guest access, you should
provide documentation to help users log in to the network. By ensuring that
the process is explained clearly, you can limit the number of calls to the
help desk.
Example
Table 3-8 shows the access control methods the PCU network administrators
select when factoring in only administrative workload.
Factor Private Wired Public Wired Private Wireless Public Wireless
User type and
sophistication
• 802.1X
• Web-Auth for the
administration
building only
Web-Auth 802.1X with WPA/
WPA2
Web-Auth