Introduction; The Components; Hp Pc Client Computing Solutions - HP BladeSystem bc2000 - Blade PC Manual

Introduction

This white paper provides a reference implementation of layered security policy enforcement created
by integrating HP thin clients and Consolidated Client Infrastructure (CCI) blade PCs with Network
Admission Control (NAC) solutions from Cisco. The combination of HP thin clients and Consolidated
Client Infrastructure (CCI) blade PCs provides a very robust, secure, and cost-effective computing
solution that can be applied to any network. Like any other networked component, it is important to
examine security issues associated with their operation. This paper addresses the use of network
policy enforcement services with HP thin clients and blade PCs linked to Cisco Clean Access Manager
and Clean Access Server NAC appliance built from HP ProLiant DL140 and DL360 serves
respectively. This configuration provides strong network policy enforcement to ensure client devices on
the network are properly configured; otherwise these clients can be quarantined and/or remediated.
Overviews of NAC, as well as usage models and known working implementations, are provided.

The Components

HP PC Client Computing Solutions

HP PC client computing solutions consist of two major components: thin clients and blade PCs. A thin
client is a computing device without a hard drive that provides display and input/output for
applications running on remotely located servers or blade PCs. A basic thin client consists of a
processor, flash memory for storing the embedded operating system, local RAM, a network adapter,
and standard input/output for the display and other select peripherals. HP thin clients have no moving
parts, offering higher reliability than a PC, lower ownership costs, enhanced security, and extended
product life. These small, robust devices consume significantly less energy than a desktop PC, put out
less heat into your office spaces, are made with much less material than a desktop, and are
practically silent.
HP offers thin clients based on three operating systems: Windows XPe, Debian Linux, and Windows
CE. Each operating system provides protection for the OS image housed within the flash device while
creating a partition on that flash device to act as a virtual hard drive. Only an account with
administrator privileges can make changes to the base image to add applications or operating system
patches. With the Windows XPe operating system, HP also includes a Sygate firewall on the base
image that locks down all ports except those necessary for typical Microsoft Remote Desktop Protocol
(RDP) and Citrix-level connections and general Web browsing. The Sygate settings must be edited to
unlock any additional ports on the thin client.
Consolidated Client Infrastructure (CCI) is the enterprise/data center computing architecture through
which blade PCs can be allocated to end-users connecting on thin clients. The blade PCs are stored
and managed in a centralized location, and are accessed through HP Remote Graphics Software
(RGS) or RDP. A remote user can present credentials to the HP Session Allocation Management (SAM)
service and be connected to a computing session on a blade PC with access to network resources
such as applications and data. Unlike Terminal Services-, Citrix-, or VDI-hosted computing sessions,
CCI computing sessions typically match up a connected user onto a blade PC that is not shared,
which provides a stable computing experience that does not change as additional users are added to
the array of blade PCs.
Although CCI blade PCs are housed in the data center for security, they are full-blooded PC systems
running the latest operating systems. As such, it is assumed in this paper that images for blades are
configured with a firewall and virus scanning software as a security baseline. For the usage models
presented here, the blades were configured to use the native Windows XP firewall, as well as anti-
malware software.
2