Security Solutions
A-7
Addendum to the ProCurve Access Control Security Design Guide
ProCurve Access Control Solution 2.1
Post-Connect NAC Testing
Post-connect checking is a key component of a true endpoint integrity solu-
tion. Without it, users quickly learn that they can circumvent your security
settings—for example, raising their browser security settings, connecting to
the network, and immediately lowering the settings again.
The NAC 800 has always supported post-connect checking by the NAC 800
itself. Now, however, the NAC 800 supports post-connect testing by other
security devices. You can use post-connect NAC testing to have other security
devices, such as an IDS/IPS perform additional testing and monitoring to
detect attacks or other threats. If an endpoint fails this additional testing, the
security device can send a request to the NAC 800, which will then quarantine
the endpoint. Integrating additional security checking with the NAC 800
allows you to have a single point of enforcement on the network.
Integration with Microsoft SMS
The NAC 800 can also integrate with Microsoft SMS for patch management. If
an endpoint requires a patch, NAC 800 can automatically contact SMS to
ensure that the patch has been applied.
Support for RDAC
To discover information about endpoints on the network, the ProCurve NAC
800 uses Device Activity Capture (DAC), which listens on the network for
DHCP traffic. DAC listens for DHCP ACK messages—which a DHCP server
sends each DHCP client—so that DAC can detect endpoints accessing the
network, and the NAC 800 can then test them. (DAC can also be configured
to discover other types of IP traffic, such as traffic from static IP addresses,
if necessary.)
In the first release of the NAC 800, DAC ran only on the NAC 800. In this
configuration, DAC is sometimes referred to as Embedded DAC (EDAC).
Now, however, the NAC 800 supports DAC running as a standalone service on
a Windows DHCP server. When running on a DHCP server, rather than on the
NAC 800, DAC is said to be remote DAC (RDAC). While running on the
Windows DHPC server, RDAC sends DHCP information back to the NAC 800.
Because RDAC is relaying information to the NAC 800, you have another
option for placing the NAC 800 in an 802.1X deployment. Without RDAC, you
must connect the DHCP server to the same switch as the NAC 800 or use
remote mirroring if you connect the DHCP server to another switch. RDAC