Security Solutions
3-109
Designing Access Controls
Finalize Security Policies
Table 3-81 shows access profiles and VLAN assignments at PCU. Each
access policy group has an associated profile, and some groups have more
than one profile. For example, a trusted user, such as the president who
accesses the network through an unencrypted wireless connection,
requires a different profile from that user on a wired or secure wireless
connection. (This profile is called the unencrypted profile).
In this example, profiles that will be associated with the same access
policy group are also associated with the same VLAN ID—with the
exception of the Quarantine profile. In other words, the president is
always placed in the same VLAN no matter how he or she accesses the
network. However, the profiles will be associated with different
resources.
Table 3-81. Dynamic VLANs for PCU
■ Allowed resources—You should also assign the proper resources to
each access profile.
IDM allows you to define resources, which are essentially ACLs. For
example, you can create a resource that allows traffic to an email server’s
IP address on port 110 and call the resource “Email server.” And you can
create a “Web traffic” resource that allows all traffic destined to TCP port
80. You could then assign both resources to an access profile.
Access Profile VLAN ID
IT admin 2
President, vice president, and so on 14
Unencrypted 14
Accounting 15
Registrars 16
Staff 17
Student 18
Engineering students 19
Faculty 20
Engineering faculty 21
Guest 22
Guest_afterhours 22
IP telephones 23
Quarantine/Test 24