Security Solutions
1-50
Access Control Concepts
ProCurve NAC 800
Because remediation is a key component of an endpoint integrity solution, the
NAC 800 does not follow this strategy. Instead, it places quarantined endpoints
in a subnet that exists in the private network, albeit in carefully controlled way.
You can establish the quarantine subnet in one of these ways:
■ The NAC 800 assigns to quarantined endpoints IP addresses that are valid
but unused in the production network. The quarantined “subnet” is not
truly a subnet, but rather an unused subset of an existing subnet.
For example, the network includes three Class C user subnets, each
with 100 users:
• 10.1.2.0/24
• 10.1.3.0/24
• 10.1.4.0/24
The DHCP server assigns users addresses in the 25 to 125 range—for
example, 10.1.2.25 to 10.1.2.125. The second half of each subnet
(10.1.X.128/25) is available for quarantined endpoints:
• Quarantine “subnet” = 10.1.2.128/25
• Quarantine “subnet” = 10.1.3.128/25
• Quarantine “subnet” = 10.1.4.128/25
Of course, the scopes on the network DHCP server must exclude these
addresses so that a healthy endpoint is not inadvertently assigned an
address in the quarantined subset.
■ The network administrator multinets the quarantine subnet on an existing
VLAN. Each VLAN requires its own quarantine subnet.
For example, the network includes two Class C subnets, each with
250 users:
• 192.168.8.0/24
• 192.168.12.0/24
A quarantine subnet isolates non-compliant endpoints from each existing
subnet:
• Quarantine subnet = 192.168.9.0/24
• Quarantine subnet = 192.168.13.0/24
The network administrator sets up multinetting on infrastructure devices
to accommodate the quarantine subnets. For example, a routing switch
could have this configuration:
•VLAN 2
IP address = 192.168.8.1/24
IP address = 192.168.9.1/24