Security Solutions
A-25
Addendum to the ProCurve Access Control Security Design Guide
Updating the Access Control Design Process
Choose the Endpoint Integrity Solution
The ProCurve Access Control Solution supports two options for endpoint
integrity (that is, controlling network access based on an endpoint’s compli-
ance with security policies):
■ ProCurve NAC 800—a security appliance
■ Microsoft Network Access Protection (NAP)—a framework distrib-
uted across several servers running Windows Server 2008
With both options, the device that performs endpoint integrity testing can also
provide user authentication and authorization. In addition, remember that
endpoint integrity tests are only the first step; ProCurve IDM helps you to
create policies to control access based on the results of the tests. IDM supports
either the NAC 800 or NAP, giving you to flexibility to choose the option that
is best for your environment.
As you weigh your options, consider these factors:
■ Existing network environment
■ Vulnerability to risks and risk tolerance
■ Management resources
■ Interoperability requirements
Existing Network Environment
Consider the endpoints in your environment:
■ Do you have Mac endpoints?
■ Do you have legacy Windows endpoints?
NAP relies on the NAP Agent and other components that are supported only
by endpoints that run Windows XP SP3 or Windows Vista. Therefore, NAP is
suitable for organizations that have up-to-date and homogeneous Windows
environments. The NAC 800, on the other hand, operates in mixed environ-
ments, testing Windows 2000, Windows XP, Windows Vista, and Macintosh
endpoints.
In addition, NAP is distributed across several Windows Server 2008 services.
For example, NAP may require not only a NAP Health Policy Server (NPS) but
also a Health Registration Authority (HRA). Or, if you are using the DHCP
deployment option, your company’s DHCP server must also run Windows
Server 2008. If you do not want to upgrade your servers at this time, the NAC
800 could be a better solution.