Manualshelf

Security Solutions

ManualsBrandsHP ManualsSoftwareHP ProCurve Access Control Client Software
61626364656667686970
1-51
Access Control Concepts
ProCurve NAC 800
•VLAN 3
IP address = 192.168.12.1/24
IP address = 192.168.13.1/24
Restricting Access in the Quarantine Subnet. The NAC 800 uses one of
these methods to enforce the quarantine:
It does not assign quarantined endpoints a default gateway in their DHCP
configuration, and it sends them subnet masks of 255.255.255.255. In
effect, each quarantined endpoint is isolated within a subnet that consists
of itself alone. To allow access to remediation services, the NAC 800 sends
the endpoints static routes to itself. It then acts as DNS server, as well as
proxy Web server to the allowed sites.
Network infrastructure devices enforce static ACLs that drop all traffic
from quarantined addresses except that to remediation services.
Note If you select the static ACL option, you must ensure that the infrastructure
devices are capable of filtering traffic correctly. For example, if you
multinetted quarantine subnets on VLANs, the device should be able to
apply ACLs to multinetted traffic. If you have assigned quarantined end-
points IP addresses on existing subnets, the infrastructure devices must
be able to filter non-routed traffic. For example, the Switch 3500yl/5400zl/
6200yl Series supports VLAN ACLs, which filter all IP traffic regardless of
whether it is switched or routed.
Inline Deployment Method
As with other deployment methods, the NAC 800 tests endpoints for
compliance with NAC policies and decides to grant or deny network access
accordingly.
An inline NAC 800 also enforces its decisions. It imposes a firewall between
endpoints on either side of its Ethernet port 1, which connects to the private
network, and port 2, which connects to endpoints to be tested. Endpoints on
the port 2 side cannot access any resources on the port 1 side—until the NAC
800 has checked them and ensured they comply with NAC policies. Therefore,
typically, the NAC 800 is deployed at a “choke point” such as a VPN gateway,
where all valuable resources are located beyond the NAC 800’s port 1.