Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software

329

330

331

332

333

334

335

336

337

338

A-31

Addendum to the ProCurve Access Control Security Design Guide

Updating the Access Control Design Process

As explained in Chapter 3: “Designing Access Controls” of the ProCurve

Access Control Security Solution Design Guide, the NAC 800 can be deployed

in three ways, which correspond with the quarantine method:

■ 802.1X

■ Dynamic Host Configuration Protocol (DHCP)

■ Inline

Chapter 3: “Designing Access Controls” also offers four factors to consider

when choosing a deployment method:

■ Access control method

■ Vulnerability to risks and risk tolerance

■ Existing network infrastructure

■ Connection type

When considering the network infrastructure, the Design Guide explains that

you must determine whether your network switches support traffic mirroring

(which may be called port mirroring, port monitoring, or port spanning,

depending on your switch). This feature allows the NAC 800s to detect and

test endpoints.

You also had to determine whether the switches support local traffic mirror-

ing—mirroring traffic from one port to another port on the same switch—or

remote traffic mirroring—mirroring traffic from a local switch to a remote

switch.

As mentioned earlier, RDAC support provides a third option. If you have

Windows 2003 DHCP servers, your switches do not have to support either

local or remote mirroring. This gives you more flexibility in placing your NAC

800 in an 802.1X deployment. Likewise, the DHCP plug-in gives you another

option for placing the NAC 800 in a DHCP deployment.

With RDAC and the DHCP plug-in, you may require fewer NAC 800s for your

network. When RDAC runs on your Windows 2003 DHCP servers, it can submit

DHCP information to the NAC 800 from any location on the network—

provided that the network is set up to route the information correctly. If you

want to use an 802.1X deployment and your switches support only local

mirroring, you do not have to connect a NAC 800 to each switch that connects

to a DHCP server or relocate your DHCP servers so they all connect to the

same switch. With the DHCP plug-in deployment, you can place the NAC 800

anywhere on the network, rather than:

■ Placing a NAC 800 between each DHCP server and the network

■ Connecting all the DHCP servers to the same switch and placing the NAC

800 between the switch and the rest of the network