Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

181

182

183

184

185

186

187

188

189

190

3-74

Designing Access Controls

Choose Endpoint Integrity Testing Methods

Administrative Workload

If users are unwilling or unable to help with the initial setup of the testing

method, the task is left to the IT staff. If you have a large number of endpoints,

some types of agent setup can be too burdensome. For example, the agentless

testing method requires file and print sharing to be enabled on the endpoint

and the NAC 800 specified host for such sharing. You push these settings to

endpoints through a Windows domain; otherwise, configuring them on each

endpoint would be difficult and time-consuming.

For the NAC EI agent, you will need to install the agent. If users cannot help

you install the agent or if you cannot use Active Directory or an application

distribution program to install it, you must count on your IT staff to do it. If

you have a high number of endpoints, the initial installation will take a bit of

time.

For NAC agent testing and ActiveX testing, port 1500 must be open on any

firewall placed between the NAC 800 and endpoints. This is primarily a

concern for remote endpoints (as mentioned earlier, the agents can usually

open ports on endpoint firewalls automatically). Organizations divide admin-

istrative tasks differently. Do you have the authority to get the proper ports

opened on your network’s router?

ActiveX is the easiest to deploy in almost all cases if only the initial setup is

considered. Although it requires Internet Explorer, this requirement almost

never poses a problem: most endpoints have this application. However, if your

endpoints do not, consider whether you have the time to install IE on all

endpoints and the power to make users employ this Web browser.

Table 3-50. Testing Methods by Administrative Workload

Agentless ActiveX NAC IE Agent

Ease of deployment Medium Low to medium Medium

Deployment

requirements

• You must have admin

credentials for the domain.

• File and print sharing must

be enabled.

• Ports 137, 138, 139, and 445

must be opened on the

firewall. (These ports

should be opened when you

enable file and print

sharing.)

• Router port 1500 must be

kept open.*

• The browser must allow

ActiveX content and

JavaScript.

• Endpoints must run IE.

• The agent must be

downloaded and installed

on each endpoint.

• Router port 1500 must be

kept open.*

* Port 1500 must be opened on unmanaged endpoints that run Windows XP and non-SP2 firewalls.