Security Solutions
3-146
Designing Access Controls
Lay Out the Network
Table 3-117. VPN Capabilities of the ProCurve VPN Client
Combining Access Control Zone Designs
Network topology does not always match network geography. The sample
diagrams of the different zones often show, for the sake of clarity, zones that
are each geographically separate from the others. In fact, the separate seg-
ments may be geographically adjacent or overlapping. In such cases, you may
be able to combine different network functions on the same switch.
Adjacent Zones
Adjacent zones are zones that consist of separate access points; however, they
are close enough that the device that provides the access points can be the
same. ProCurve devices are perfectly capable of enforcing different access
control methods on different ports, so adjacent zones should pose no problem.
For example, you may have a private office (private wired zone) that is
separated by a wall from a public computer lab (public wired zone). A switch
located between the two zones can serve both of them, as long as it has the
port capacity and the ability to configure the ports in the different zones as
necessary. Similarly, a switch might have some ports that connect to private
office areas (private wired zone) and other ports that connect to wireless AP
420s in private meeting rooms (public wireless zone). The switch can enforce
802.1X on the private wired zone ports and Web-Auth on the AP 420 ports.
Overlapping Zones
In networks in which mobility has become commonplace and employees may
rapidly change from wired to wireless access, different types of zones may
exist in exactly the same physical space.
VPN Protocol Authentication
Methods
Encryption and Hash
Algorithms
Support for NAT-T Support for Xauth
•IPsec with IKE
• L2TP/IPsec
• Preshared key
• Digital
certificates—Certif
icate Manager and
SCEP included
•Hash:
–HMAC-MD5
– HMAC-SHA1
–DES-MAC
• Encryption:
–DES
–3DES
–AES
Yes Yes