Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
181182183184185186187188189190
3-70
Designing Access Controls
Choose Endpoint Integrity Testing Methods
In this case, your choice of testing methods is limited to ActiveX because the
requirements for ActiveX are less stringent. The browser must be configured
to allow JavaScript and ActiveX. (If Windows XP endpoints are running a non-
SP2 firewall, port 1500 must be opened. By default, the Windows XP firewall
opens port 1500.)
If you have more control over endpoints, you can require users to download
and run the NAC EI agent. For the endpoints in a Windows domain, you can
supply the admin credentials and use the agentless test method.
Table 3-44 summarizes the requirements for each testing method.
Table 3-44. Testing Method by Control over Endpoints
Example. At PCU, network administrators have some influence over staff
and faculty endpoints—although perhaps not over the endpoints used for
logging in to the VPN—less influence over student endpoints, and none at all
over guest wireless endpoints. Some endpoints in the public wired zone are
located in public computer labs and owned by the university. The administra-
tors actually have quite a bit of control over these computers. Other endpoints,
however, are owned by students and guests.
The network administrators can ask students, faculty, and staff members to
download the NAC EI agent. On other endpoints, ActiveX is a more realistic
option, although guests might allow the NAC EI agent to install automatically.
Table 3-45. Testing Method by Administrative Control
Agentless ActiveX NAC EI Agent
Admin control needed High Low to medium Medium to high
Requirements Admin credentials for
each endpoint must be
known.
File and print sharing must
be enabled.
RPC service must be
enabled.
Ports 137, 138, 139, and 445
must be opened on the
firewall.
Browser security settings
must allow JavaScript and
ActiveX scripting.
Port 1500 may need to be
opened manually on the
endpoint.*
All endpoints must have
the agent installed.
Port 1500 may need to be
opened on the endpoint.*
ActiveX controls must be
allowed on the endpoint.
* Only on unmanaged endpoints that run Windows XP with non-SP2 firewalls
Factor Public Wired Private Wired Public Wireless Private Wireless Remote
Administrative control ActiveX
NAC EI agent
Agentless
NAC EI agent
ActiveX
NAC EI agent
NAC EI agent
ActiveX
ActiveX
NAC EI agent