Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

251

252

253

254

255

256

257

258

259

260

3-143

Designing Access Controls

Lay Out the Network

Access Control Method. Although it is a wireless zone, the private wireless

zone, due to its private nature (and concomitant level of IT control), is well

suited to 802.1X authentication.

Encryption. In a wireless network, 802.1X authentication helps to generate

secure encryption keys. Generally, there is no reason that you cannot choose

strong WPA/WPA2 encryption (TKIP or AES or both) because most wireless

NICs support this option.

Endpoint Integrity. The same issues discussed for endpoint integrity in the

private wired zone apply to this zone. If anything, checking endpoints’ integrity

is more important in this zone because employees might take their laptop off

the premises, connect it to an insecure network where it becomes infected,

and return the infected endpoint to your network. See “Endpoint Integrity” on

page 3-140 for more information.

VLAN Assignments and Other Dynamic Settings. When a user success-

fully authenticates to a Wireless Edge Services Module or ProCurve AP, the

device applies the VLAN assignment and other settings sent by the RADIUS

server. The settings take effect as traffic is bridged from the wireless to the

wired network. Remember to tag the connection between the switch and the

AP (or Wireless Edge Services Module) for every user VLAN that you have

designed.

If the RADIUS server does not send a VLAN assignment, the wireless device

assigns the user to the static VLAN for the WLAN.

Choose APs, Wireless Edge Services Modules, and RPs. Because all

ProCurve wireless products support 802.1X authentication, any is suitable for

a private wireless zone. As far as equipment is concerned, the same issues that

apply to the public wireless zone apply to this zone. Refer to “Choose APs” on

page 3-136 and “Choose Switches” on page 3-137.

Remote Zone

The remote zone is a VPN that allows users to access the private network

remotely, typically through a connection to the Internet. Because traffic in the

remote zone travels through the public space of the Internet, you must

carefully plan your VPN solution, ensuring that it provides strong authentica-

tion and encryption. You might also limit the resources that remote users can

access (although encryption algorithms such as AES provide some guarantees

of data privacy).