Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
21222324252627282930
1-9
Access Control Concepts
Network Access Control Technologies
Note You can also configure the network to authorize unauthenticated users for
certain—typically, very limited—rights.
In addition to considering whether a user has authenticated successfully, a
AAA server assigns rights based on user identity and time and location of
access. In other words, authorization is the mechanism that customizes a
network for different types of users, providing each user with appropriate
network access, rather than blanket “all or none” access.
Therefore, authorization is a particularly important component of a network
access control solution. The authorization aspect of network access control
also removes some of the burden from data and application access control.
For example, you could set up “all or none” access to the network and then
control access to application servers separately on each server. But a better
solution often adds centralized network access control policies that grant
users rights to appropriate services when they first access the network,
preventing unauthorized traffic from ever reaching servers.
Authorization rights that are set up on AAA server are often called dynamic
or user-based settings because they are assigned to individual users automat-
ically when they connect to the network.
Rights determine:
Which resources and services the user can and cannot access—Typically,
you enforce these rights with Virtual LAN (VLAN) assignments and access
control lists (ACLs).
Note ProCurve Identity Driven Manager (IDM) will help you set up your polices
more efficiently, as described in “ProCurve IDM” on page 1-58).
As much as possible, you place resources necessary for a particular group
of users in the same VLAN. ACLs, applied to routers or to edge devices,
permit only the appropriate user groups access to the VLAN in question.
For example, if the server with your payroll database were placed on
VLAN 7, you would restrict access to this VLAN: you would allow only
users in the Accounting group—thereby preventing unauthorized employ-
ees from browsing the company payroll.
You can also use rights (specifically, dynamic ACLs) to control which
types of services and applications users can access. TCP and UDP, two
Transport Layer protocols, assign various applications to specific ports.
For example, Web traffic uses TCP port 80 whereas File Transfer Protocol
(FTP) traffic uses TCP port 21. To limit a set of users such as guests to
browsing Web sites, simply restrict their traffic to TCP port 80.