Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
41424344454647484950
1-35
Access Control Concepts
Network Access Control Technologies
Note In “Endpoint Integrity” on page 1-36, you will learn about solutions that test
endpoints for compliance with security policies. A network that enforces
endpoint integrity might include additional VLANs:
Test VLANs —The VLANs in which endpoints are placed after they
connect to the network but before they are tested by the network access
controller. A test VLAN can the same as the quarantine VLAN (described
below) or its own VLAN. In either case, the VLAN should be rather
restrictive.
Quarantine VLANs—The VLANs for endpoints that fail to comply with
the networks security policies. A quarantine VLAN typically allows access
only to resources necessary for bringing endpoints into compliance.
Infected VLANs—The VLANs for endpoints on which the NAC 800
detects viruses, trojans, or other malware. While you can place infected
and quarantined endpoints in the same VLAN, you may want to separate
them. Then infected endpoints do not spread malware to the not-yet-
infected, but insecure quarantined endpoints.
These VLANs would be assigned to endpoints dynamically as part of the
policies sent out the RADIUS server (which, if you are using the ProCurve
NAC 800 could be the network access controller itself). Note, however, that
some network access controllers use different methods to quarantine end-
points—methods that do not rely on VLAN assignments at all.
ACLs
A VLAN assignment ensures that a user receives an IP address in the correct
subnet. ACLs control communications between subnets so that users in a
particular VLAN receive access to the correct resources.
An ACL is a series of rules, or access control entries (ACEs) to which a
network device compares every packet that arrives. Although ACLs can
operate either at Layer 2 or Layer 3/4, this design guide focuses on Layer 3/4
ACLs. An ACE in such an ACL controls traffic according to a variety of fields
in the IP header:
Protocol (TCP, UDP, Internet Group Management Protocol [IGMP], and
so forth)
IP source address
Source port
IP destination address
Destination port (for example, UDP 67 to allow DHCP traffic or 80 to allow
Web traffic)