Security Solutions
3-55
Designing Access Controls
Choose the Endpoint Integrity Deployment Method
Table 3-36. Security Level of Deployment Methods
Example
Based solely on security concerns, the PCU network administrators would
choose the 802.1X deployment method for each access control zone and an
inline deployment for remote access. However, the administrators know that
they cannot use 802.1X as the deployment method with Web-Auth, which is
the access control method in the public zones. So they choose the second most
secure deployment method (inline) for the public zones.
Table 3-37. Deployment Method by Security
Existing Network Infrastructure
After the access control method, your existing network infrastructure is perhaps
the most critical factor for selecting a deployment method.
If you are considering the 802.1X deployment method, your switches must of
course support 802.1X. You should also determine whether the switches
support traffic mirroring (which may be called port mirroring, port monitor-
ing, or port spanning, depending on your switch)—which allows the NAC 800s
to detect and test endpoints. Many switches support local traffic mirror-
ing—mirroring traffic from one port to another port on the same switch.
However, some switches, such as the ProCurve Switches 3500yl, 5400zl,
6200yl, and 8200zl, support remote traffic mirroring as well. With remote
Inline 802.1X DHCP
Security provided High High Medium
Security mechanism The NAC 800 is physically
placed between the endpoint
and network resources.
Compliant endpoints are
dynamically assigned a
VLAN; non-compliant
endpoints are quarantined in
a separate VLAN.
The DHCP server gives a valid
IP address only to compliant
endpoints; the NAC 800
assigns non-compliant
endpoints addresses in
quarantine subnets.
Vulnerability None None Sophisticated users can
assign their devices a valid IP
address and avoid making
DHCP requests.
Factor Private Wired Public Wired Private Wireless Public Wireless Remote
Security 802.1X 802.1X 802.1X 802.1X Inline
Security—after
access control method
is considered
802.1X Inline 802.1X Inline Inline