Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

141

142

143

144

145

146

147

148

149

150

3-33

Designing Access Controls

Choose the Access Control Methods

Table 3-19. Access Control Methods by Feasibility

To make your final decision, you must factor in all the information you have

collected. You might find it useful to use Table 3-20. In each row, enter your

preferred access control method for each factor in each zone. Then, for each

zone, find the access control method that shows up most frequently in the

rows above and enter it in the “Total” row.

MAC-Auth Web-Auth 802.1X

Public wired Usually not feasible if users

are providing their own

endpoints—unless you ask

users for the MAC addresses

of their endpoints.

Feasible if your company

provides the endpoint (in a

lab, for example).

Feasible because endpoints

with user interfaces typically

have a Web browser.

Typically not feasible when

users provide their own

endpoint. (You cannot ensure

that each one has an 802.1X

supplicant.)

Possible if your company

provides the endpoint, but

(depending on users’

knowledge level) the

administrative burden might be

high.

Public wireless Not feasible because users

typically provide their own

equipment, and you cannot

gather the addresses in

advance.

Also, it is easy to snoop MAC

addresses and then spoof

them.

Feasible because endpoints

with user interfaces typically

have a Web browser.

Sometimes not feasible for

Voice-over-IP (VoIP) phones.

Typically not feasible because

you do not have control over the

endpoint and cannot ensure

that it has an 802.1X supplicant.

Depending on users’

knowledge level, the

administrative burden might be

high. However, if users are

accessing information from

your network, you may opt for

this more-secure access

method at the cost of a higher

administrative burden.

Private wired Feasible only if the number of

endpoints is relatively small

and static.

Feasible in most

circumstances.

Feasible if endpoints have

802.1X supplicants and

switches support 802.1X.

Recommended for strongest

security.

Private wireless Feasible only if:

• The number of endpoints

is relatively static and

small

• Encryption is added or

MAC-Auth is used with

another access control

method that requires

encryption

Feasible in most

circumstances but requires

encryption if you want to

protect the wireless

transmission. Less secure

than 802.1X with WPA/

WPA2.

Feasible if the endpoints have

802.1X supplicants and APs

support 802.1X. Recommended

for strongest security.