Security Solutions
3-133
Designing Access Controls
Lay Out the Network
Remember, in either case, you can allow unauthenticated users to be placed
on an unauthenticated VLAN.
Endpoint Integrity. Particularly when you allow members of the public to
connect their own equipment to your network, you should implement end-
point integrity. The most suitable deployment method is usually DHCP, and
the most suitable testing method is ActiveX (because ActiveX testing does not
require any installation of software or entering of credentials).
Even if guests use your company’s equipment, you might want to test the
equipment’s integrity; otherwise, you cannot be certain guests will not alter
security settings and perhaps introduce malware. Because your organization
owns the equipment, you can choose the NAC EI agent testing method if you
so desire.
Table 3-106. Public Wired Zone Policies
Choose Switches. The public wired zone features direct connections
between users and switches, which serve as the PEPs. You will need switches
that support MAC-Auth and Web-Auth.
Table 3-107 shows the access control methods supported by ProCurve
Switches. For example, the ProCurve Switch 3500yl may be a good choice, as
it supports both methods and can be reconfigured by the RADIUS server with
dynamic settings. For full details on each product, visit http://www.hp.com/
rnd/products/index.htm.
Table 3-107. Network Access Control Capabilities of ProCurve Edge Switches
Zone Authentication
Method
EI Deployment Testing Method Authentication
Protocol
Encryption
Public wired
Private equipment
Web-Auth or
MAC-Auth
DHCP NAC EI agent or
ActiveX
RADIUS-CHAP
RADIUS-PAP
none
Public wired
Guest equipment
Web-Auth DHCP ActiveX RADIUS-CHAP
RADIUS-PAP
none
Switch Series MAC-Auth Web-Auth 802.1X Dynamic VLAN
Assignment
Dynamic ACLs
5400zlXXXXX
5300xlXXXXX
4200vlXXXX
4100gl X X
3500ylXXXXX