HP ProCurve Network Access Controller 800

HP Updated: 2009-02-23 RSS
HP ProCurve Network Access Controller 800

The HP ProCurve Network Access Controller (NAC) 800 combines a RADIUS-based authentication server and the ability to validate the integrity of the systems connecting to the network, allowing network administrators to secure the network from unauthorized users and systems that pose a threat to network resources.

* Managed security appliance
* Built-in RADIUS authentication server
* Endpoint integrity (EI) testing (req. licenses)
* Centralized management of NAC endpoint policies
* Scalable and flexible endpoint license management

Management
* Centralized endpoint policy management: endpoint testing policies are centrally managed by a single management server and shared by up to ten enforcement servers
* Administration console: a Web-based console provides an easy-to-use interface for configuring endpoint policies and enforcement clusters as well as a dashboard-style interface for viewing the status of endpoint integrity testing
* Default testing policies: default testing policies provide a great starting point for endpoint testing and can be easily utilized as the basis for custom testing policies
* Network management server integration: the HP ProCurve Network Access Controller 800 management server is discovered and monitored by the HP ProCurve Manager platform to enable unified device and security management; the Web-based administration console of the ProCurve Network Access Controller 800 is integrated into the ProCurve Manager display for a cohesive management experience

Performance
* Efficient endpoint testing: typical endpoint testing can be completed in less than ten seconds, avoiding lengthy wait times as endpoints are connected to the network
* Support for up to 30,000 concurrent endpoints in one management domain: each enforcement server can support up to 3,000 endpoints, and one management server can control up to ten enforcement servers
Resiliency and high availability
* Enforcement server resiliency and redundancy: enable high network availability for mission-critical LAN deployments; enforcement servers continue to provide authentication and endpoint testing services in the absence of a management server and can be configured in clusters to provide redundancy and load-balancing for endpoint testing

Security
* Built-in RADIUS server: can perform authentication services or act as a proxy server for a remote RADIUS authentication service
* Supports standard-based or a local authentication directory: can integrate with existing Active Directory or standard LDAP directory services or can host a local authentication directory for smaller environments
* Endpoint integrity assessment: enables both pre-authentication and post-authentication testing of network-attached endpoints; includes an extensive set of built-in endpoint tests and is extensible to test for any prohibited or required software:
o Operating system: versions, service pack levels, and hot fixes
o Security settings: firewall, auto-update, and browser security settings
o Security software: antivirus, antispyware, and firewalls
o Malware: spyware, worms, viruses, and trojans
o Applications: peer-to-peer and instant messaging software
* Flexible enforcement modes: offer multiple enforcement modes that can be used together and centrally managed by a single management server to share endpoint policies and licenses:
o RADIUS: integrates with RADIUS authentication to allow access only to authorized users and devices; uses RADIUS authorization capabilities to isolate endpoints for testing prior to providing complete network access and isolation of non-compliant endpoints
o DHCP: integrates with DHCP servers to isolate and test endpoints before they are allowed to access production networks and interact with other network clients and resources
o Inline: actively monitors a link for new endpoints and tests them before they are allowed to access the network; enables testing of remote endpoints connecting through a VPN concentrator
* Flexible testing methods: enables endpoint testing that meets the broad needs of most businesses, including solutions for both managed and unmanaged endpoints:
o Agent based: a permanent agent can be installed on endpoints to evaluate endpoint integrity status; it is the most efficient mode for managed endpoints that will continually connect to the network
o Transient agent: an agent is temporarily downloaded to the endpoint to evaluate endpoint integrity, and then it enables unmanaged endpoints to be tested without the need to have an agent preloaded and remain on the endpoint
o Agentless: uses administrative credentials for an endpoint along with native communications protocols to evaluate the endpoint integrity status; enables endpoints that are part of a managed domain or have known administrative credentials to be tested without ever loading an agent
* Endpoint quarantine: policy-based enforcement allows for isolation of non-compliant endpoints
* Configurable remediation feedback: provides administrator-customized feedback to users on how they can remediate their systems and be allowed full network access
* Integration with Microsoft SMS: endpoints that fail testing and are also managed by a Microsoft Systems Management Server (SMS) agent will be prompted to contact the SMS for updates and will be retested once updates have been applied

Policy management
* Policy-based network access rights: integrate with ProCurve Identity Driven Manager and network devices to apply centrally managed network access policies to be enforced at the edge of the network, where users and devices attach; allow network administrators to easily create and maintain robust access policies, including secure guest access to appropriate network services, without risk to the network

Product Architecture
* The ProCurve Network Access Controller 800: can be configured to take on different roles in a secure network access solution:
o Management server: a centralized server that manages and monitors multiple enforcement servers, including the endpoint integrity policies and centralized logging of endpoint authentication and test results, availability, and status
o Enforcement server: provides RADIUS-based authentication of endpoints, along with testing of endpoints to evaluate compliance with endpoint integrity policies, policy-based isolation of non-compliant endpoints, and customized user feedback on how to remediate issues
o Combination server: a single-server solution that combines the management server and enforcement server roles into a single appliance solution. A combination server only manages the enforcement server that is running in the combination server. A combination server can also be used in conjunction with ProCurve Identity Driven Manager to provide RADIUS-based authentication and the Identity Driven Manager adaptive networking capabilities without endpoint integrity testing
o Note: endpoint integrity testing is a capability that requires the additional purchase of HP ProCurve NAC Endpoint Integrity Agent licenses (see Accessories) and an initial Implementation Startup Service provided by a ProCurve-certified service provider or purchased through ProCurve (see Services).