Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-34
Access Control Concepts
Network Access Control Technologies
A network typically includes VLANs such as these:
Management VLAN—This type of VLAN includes the IP addresses on
infrastructure devices through which you manage and configure those
devices. It may also include the endpoints which network administrators
use to access the infrastructures devices. On ProCurve devices, you can
enable a Secure Management VLAN, which does not allow traffic to be
routed in or out of it.
Default VLAN—This VLAN includes all devices connected to ports not
specifically assigned to another VLAN. If you implement network access
control on all ports, you do not need to worry as much about securing the
default VLAN. A method such as 802.1X prevents rogue users from con-
necting to unprotected ports.
Note Sometimes the management VLAN is also the default VLAN; you should
give the management VLAN a new ID to protect access to your network
devices.
Unauthorized VLAN—In a network that implements port access con-
trol, the unauthorized VLAN fulfills some of the roles of a default VLAN.
It is the VLAN into which users that fail authentication are placed, and is
therefore sometimes called the guest VLAN. The unauthorized VLAN
might allow access to the Internet or a limited list of private resources.
User VLANs—These VLANs include end-user devices. Best practices
dictate that you group end-users together according to resources and
rights that they require. For example, a network administrator at a hospi-
tal might place all nurses and doctors in VLAN 16, subnet 10.1.16.0/22. The
administrator can then create ACLs to allow traffic from that subnet to a
database of patient information.
Server VLANs—These VLANs include servers and databases. Again, it is
easier to set up access controls when resources necessary to a particular
group are placed in the same VLAN. For example, the hospital network
administrator could group all databases that store patient information in
VLAN 6 and allow communication between VLAN 6 and VLAN 16. Of
course some servers, such as DHCP and DNS servers, might handle
requests from several VLANs.
Of these types of VLANs, often only the user and perhaps management VLANs
are set up dynamically. In a large or complicated network, you should strongly
consider a solution such as IDM, which helps you quickly configure dynamic
VLAN settings on all of your RADIUS servers. (See “ProCurve IDM” on page
1-58.)