ProCurve has long been at the forefront of network security strategies and innovation. A prime example is the ProCurve ProActive Defense strategy, which delivers a trusted network infrastructure that is immune to threats, controllable for appropriate use and able to protect data and integrity for all users.
A key cog of ProCurve ProActive Defense (part of the ProActive portion) is access security: ensuring that a network proactively prevents security breaches by facilitating which users have access to systems and how they connect in a wired and wireless world. Network access control helps ensure that only authorized users get access to the network. Furthermore, it ensures that users are granted access to only the network resources that they are authorized to use. Now that security is one of the major causes of sleepless nights among network managers, it is essential that enterprises effectively administer network access depending on rights and needs.
For example, it is appropriate for doctors and nurses in a hospital to have access to patient records. But that kind of access would not be appropriate for the receptionist at the front desk or for the cook in the cafeteria. Similarly, it might be appropriate for a daytime manufacturing worker to have network access during normal working hours near his assembly station; but you might want to deny him network access after hours. And for people who have no business on your network, it is appropriate to give them no access at all.
An effective network access control policy should keep the bad guys on the outside and ensure that those on the inside are accessing network resources only according to who they are, where they are connecting from and when they are connecting. At the same time, an effective network should enable the enterprise network to remain flexible.
The following are seven steps to achieving effective network access control:
Step 1: Choose a network access control method and a client technology
Choose one of three access control methods to fit the requirements of your network segment, according to your business drivers:
- IEEE 802.1X
- Web authentication
- MAC authentication
Step 2: Choose the network infrastructure devices
Network infrastructure devices such as switches, access points and WAN routers provide support for RADIUS authentication and support all three forms of authentication. These devices can directly control a client's connection to the network. Given the different capabilities of different edge devices, the ability of any given device to enforce security policies depends on the access control method in use and whether the client device is seeking a wired or wireless connection.
Step 3: Choose the RADIUS server
Remote authentication dial-in user service (RADIUS) is an industry-standard protocol that provides authentication, authorization and accounting services. It is used between a device that offers users network access and a device that can authenticate these incoming users. There are three common components defined by RADIUS:
- Access client
- Network access server
- RADIUS server
You will use only one type of RADIUS server (e.g., Microsoft IAS Server or FreeRADIUS) for your entire network, even if you have a variety of usage environments. In this step, you should choose your RADIUS server based on all of the usage environments in your network. This is also the time to invest in a central user database (LDAP or active directory).
Step 4: Choose the EAP method (if using 802.1X)
Extensible Authentication Protocol (EAP) methods are significant only if you use the 802.1X access control method. Consider a two-factor EAP — authenticating the client to the network and vice versa.
Step 5: Lay out the network segment
In this phase you will design network segments that are suitable for the various usage environments of your network. Perform this phase for the network core segment and for each of the usage environments in your network. It is recommended that you introduce access control in a limited area of your network (e.g., meeting rooms to begin with). Gain experience, and prepare for a full roll-out.
Step 6: Integrate all network segments
Once you have laid out the various segments in your network, you can optimize your design by integrating the segments into a unified whole.
Step 7: Consider ProCurve's Identity Driven Management (IDM)
IDM provides network access control that is based on user identity rather than network equipment. It allows you to set up a network access policy implementation at the center of your network and apply it dynamically at the edge of the network.
For more information on ProCurve security and network access control solutions, please visit the ProCurve Web site.
|
