Enterasys 9034385 Bedienungsanleitung

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

Zur Seite of

Richtige Gebrauchsanleitung

Die Vorschriften verpflichten den Verkäufer zur Übertragung der Gebrauchsanleitung Enterasys 9034385 an den Erwerber, zusammen mit der Ware. Eine fehlende Anleitung oder falsche Informationen, die dem Verbraucher übertragen werden, bilden eine Grundlage für eine Reklamation aufgrund Unstimmigkeit des Geräts mit dem Vertrag. Rechtsmäßig lässt man das Anfügen einer Gebrauchsanleitung in anderer Form als Papierform zu, was letztens sehr oft genutzt wird, indem man eine grafische oder elektronische Anleitung von Enterasys 9034385, sowie Anleitungsvideos für Nutzer beifügt. Die Bedingung ist, dass ihre Form leserlich und verständlich ist.

Was ist eine Gebrauchsanleitung?

Das Wort kommt vom lateinischen „instructio”, d.h. ordnen. Demnach kann man in der Anleitung Enterasys 9034385 die Beschreibung der Etappen der Vorgehensweisen finden. Das Ziel der Anleitung ist die Belehrung, Vereinfachung des Starts, der Nutzung des Geräts oder auch der Ausführung bestimmter Tätigkeiten. Die Anleitung ist eine Sammlung von Informationen über ein Gegenstand/eine Dienstleistung, ein Hinweis.

Leider widmen nicht viele Nutzer ihre Zeit der Gebrauchsanleitung Enterasys 9034385. Eine gute Gebrauchsanleitung erlaubt nicht nur eine Reihe zusätzlicher Funktionen des gekauften Geräts kennenzulernen, sondern hilft dabei viele Fehler zu vermeiden.

Was sollte also eine ideale Gebrauchsanleitung beinhalten?

Die Gebrauchsanleitung Enterasys 9034385 sollte vor allem folgendes enthalten:
- Informationen über technische Daten des Geräts Enterasys 9034385
- Den Namen des Produzenten und das Produktionsjahr des Geräts Enterasys 9034385
- Grundsätze der Bedienung, Regulierung und Wartung des Geräts Enterasys 9034385
- Sicherheitszeichen und Zertifikate, die die Übereinstimmung mit entsprechenden Normen bestätigen

Warum lesen wir keine Gebrauchsanleitungen?

Der Grund dafür ist die fehlende Zeit und die Sicherheit, was die bestimmten Funktionen der gekauften Geräte angeht. Leider ist das Anschließen und Starten von Enterasys 9034385 zu wenig. Eine Anleitung beinhaltet eine Reihe von Hinweisen bezüglich bestimmter Funktionen, Sicherheitsgrundsätze, Wartungsarten (sogar das, welche Mittel man benutzen sollte), eventueller Fehler von Enterasys 9034385 und Lösungsarten für Probleme, die während der Nutzung auftreten könnten. Immerhin kann man in der Gebrauchsanleitung die Kontaktnummer zum Service Enterasys finden, wenn die vorgeschlagenen Lösungen nicht wirksam sind. Aktuell erfreuen sich Anleitungen in Form von interessanten Animationen oder Videoanleitungen an Popularität, die den Nutzer besser ansprechen als eine Broschüre. Diese Art von Anleitung gibt garantiert, dass der Nutzer sich das ganze Video anschaut, ohne die spezifizierten und komplizierten technischen Beschreibungen von Enterasys 9034385 zu überspringen, wie es bei der Papierform passiert.

Warum sollte man Gebrauchsanleitungen lesen?

In der Gebrauchsanleitung finden wir vor allem die Antwort über den Bau sowie die Möglichkeiten des Geräts Enterasys 9034385, über die Nutzung bestimmter Accessoires und eine Reihe von Informationen, die erlauben, jegliche Funktionen und Bequemlichkeiten zu nutzen.

Nach dem gelungenen Kauf des Geräts, sollte man einige Zeit für das Kennenlernen jedes Teils der Anleitung von Enterasys 9034385 widmen. Aktuell sind sie genau vorbereitet oder übersetzt, damit sie nicht nur verständlich für die Nutzer sind, aber auch ihre grundliegende Hilfs-Informations-Funktion erfüllen.

Inhaltsverzeichnis der Gebrauchsanleitungen

  • Seite 1

    Enterasys ® Network Access Control Design Guide P/N 9034385[...]

  • Seite 2

    [...]

  • Seite 3

    i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specifications  and  other  information  contained  in  this  document  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  co nsult  Enterasys Netw orks [...]

  • Seite 4

    ii[...]

  • Seite 5

    iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ [...]

  • Seite 6

    iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ............. ............ ................. ............. ............ ............. .......... ................ ..... 3-2 RFC [...]

  • Seite 7

    v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........... ................ ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loc[...]

  • Seite 8

    vi[...]

  • Seite 9

    Enterasys NAC Design Gu ide vii About This Guide The  NAC  Design  Guide  describes  the  technical  considerations  for  the  planning  and  design  of  the  Enterasys  Netw ork  Access  Contr ol  (NAC)  solution.  The  guide  includes  the  following  information: Inten[...]

  • Seite 10

    Getting Help viii About This Guide •E n t e r a s y s  NA C  Manager  Online  Help.  Explains  how  to  use  NAC  Manager  to  configure  you r  NAC  appliances,  and  to  put  in  place  authenti cation  and  assessment  requirements  for  the  end ‐ systems  a[...]

  • Seite 11

    Enterasys NAC Design Guide 1-1 1 Overview This  chapter  provides  an  overview  of  the  Enterasys  Network  Access  Control  (NAC)  solution,  including  a  descripti on  of  key  NAC  functions  and  deployment  models.  It  also  introd uces  the  required  and [...]

  • Seite 12

    NAC Solution Overview 1-2 Overview Assessment Determine  if  th e  device  complies  with  corporate  security  and  configuration  requirements,  such  as  operating  system  patch  revision  levels  and  anti virus  signature  definitions.  Other  security  compliance  req[...]

  • Seite 13

    NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This  NAC  deployment  model  implements  the  detection  piece  of  NAC  functionality .  It  supports  the  ability  to  track  users  and  end ‐ sys tems  over  time  by  identify[...]

  • Seite 14

    NAC Solution Components 1-4 Overview NAC Solution Component s This  section  discusses  the  required  and  optional  components  of  the  Enterasys  NAC  solution,  beginning  with  the  following  table  that  summarizes  the  component  requirements  for  each  of  the[...]

  • Seite 15

    NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys  offers  two  types  of  NA C  appliances:  the  NAC  Gatew ay  appliance  implements  out ‐ of ‐ band  network  access  control,  and  the  NAC  Controller  appliance  implements  inline  network  access  [...]

  • Seite 16

    NAC Solution Components 1-6 Overview of  supporting  authentication  and/or  authorization.  The  NAC  Controller  is  also  required  in  IPSec  and  SSL  VPN  deployments.  The  NAC  Controller  provides  integrated  vulnerability  assessment  serv er  functionality  an[...]

  • Seite 17

    NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The  following  table  compares  how  the  two  NA C  appliance  types  implement  the  five  NAC  functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio[...]

  • Seite 18

    NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3  outlines  the  advantages  and  disadv antages  of  the  two  appliance  types  as  they  pertain  to  network  securi ty ,  scalabilit y ,  and  configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadvant[...]

  • Seite 19

    NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The  NAC  appliances  are  configured,  monit ored,  and  managed  through  management  applications  within  the  Enterasys  NetSight  Suite.  Net Sight  is  a  family  of  products  comprised  of  NetS[...]

  • Seite 20

    Summary 1-10 Overview NetSight Console NetSight  Console  is  used  to  monitor  the  health  and  status  of  infrastructure  devices  in  the  netw ork,  including  switches,  routers,  Enterasys  NAC  appliances  (NAC  Gatew ays  and  NAC  Controllers)  as  wel l[...]

  • Seite 21

    Summary Enterasys NAC Design Guide 1 -11 •M o d e l  3:  End ‐ Syst em  Authorization  with  Assessment ‐ Implements  detection ,  authentication ,  assessment ,  and  authorization  to  provide  network  access  control  based  on  the  security  posture  of  a  conne[...]

  • Seite 22

    Summary 1-12 Overview[...]

  • Seite 23

    Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This  chapter  descri bes  the  four  NAC  deployment  models  and  how  they  build  on  each  other  to  provide  a  complete  NAC  solution.  The  first  model  imple ments  a  subset  of  the  fiv e  k[...]

  • Seite 24

    Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS  Access ‐ Accept  or  Access ‐ Reject  message  received  from  the  upstream  RADIUS  server ,  is  returned  without  modification  to  the  access  edge  switch,  to  permit  end ‐ system  access [...]

  • Seite 25

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and  information  on  the  network.  Enteras ys  NAC  can  be  leveraged  to  provide  information  to  SIM  solutions,  by  mapping  an  IP  address  to  an  identity ,  such  as  a  MAC  address  [...]

  • Seite 26

    Model 2: End-System Authorization 2-4 NAC Deployment Models device  ide ntity ,  us er  identity ,  and/or  location  information  is  used  to  authorize  the  connecting  end ‐ system  with  a  certain  level  of  netw ork  access.  It  is  important  to  note  that ?[...]

  • Seite 27

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The  NAC  Controller  may  eithe r  deny  the  end ‐ system  access  to  the  network  or  assign  the  end ‐ system  to  a  particular  set  of  networ k  reso urces  by  specifying  a  particular  p[...]

  • Seite 28

    Model 2: End-System Authorization 2-6 NAC Deployment Models is  only  provisioned  by  the  Enterasys  NAC  sol ution  when  the  devices  connect  to  switches  in  the  Network  Operations  Center  (NOC).  This  level  of  granularity  in  provisioning  access  to ?[...]

  • Seite 29

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a  password  in  the  registration  web  page.  This  sponsor  username  and  passw ord  can  be  va l i d a te d  agai nst  an  existing  database  on  the  netw ork  to  authentica te  the  sponsor ʹ s  i[...]

  • Seite 30

    Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A  RADIUS  serv er  is  only  required  if  out ‐ of ‐ band  netw ork  access  control  using  the  NAC  Gatewa y ,  or  inline  netw ork  access  control  using  the  Layer  2  NAC  Co ntroller [...]

  • Seite 31

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server  is  running  or  if  the  HTTP  server  is  out ‐ of ‐ date)  and  client ‐ side  checks  (run ning  applications,  softw are  configurations,  instal led  operating  system  patches)  provide[...]

  • Seite 32

    Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In  addition  to  the  features  and  val u e s  found  in  Model  1  and  Model  2,  the  following  are  key  pieces  of  functionality  and  va lu e  propositions  supported  [...]

  • Seite 33

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n  configuration The  NAC  solution  can  determine  which  services  and  applications  are  installed  and  enabled  on  the  end ‐ system.  Certain  applications  should  be  r[...]

  • Seite 34

    Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This  section  summarizes  the  required  and  optional  components  for  Mod el  3. . The  NAC  Gatew ay  and  NAC  Controller  are  the  NAC  appliances  used ?[...]

  • Seite 35

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted  remediation  informs  end  users  when  their  end ‐ systems  have  been  quarantin ed  due  to  network  securi ty  policy  non ‐ compliance,  and  allows  end  users  to ?[...]

  • Seite 36

    Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For  inline  Enterasys  NAC  deployments  utilizing  the  Lay er  2  or  Layer  3  NAC  Controller ,  the  NAC  functions  are  implemented  in  the  following  way : Detection [...]

  • Seite 37

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic  with  specific  source  and  destination  cha racteristics  as  well  as  specific  app lication  identifiers  (UDP/TCP  ports).  In  addi tion,  the  Enterasys  NAC  solution  w[...]

  • Seite 38

    Summary 2-16 NAC Deployment Models Summary Enterasys  supports  all  of  the  five  key  NAC  functions:  detection,  authentication,  assessment,  authorization,  and  remediation.  Howev er ,  not  all  fiv e  functions  need  to  be  implemented  concurrently  in  a ?[...]

  • Seite 39

    Enterasys NAC Design Guide 3-1 3 Use Scenarios This  chapter  describes  four  NAC  use  scenarios  that  illustrate  how  the  type  of  NAC  deployment  is  directly  dependent  on  the  infrastructure  devices  deployed  in  the  netw ork.  For  some  network [...]

  • Seite 40

    Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within  the  same  Quarantine  VLAN  because  the  authorization  point  is  usually  implemented  at  the  exit  point  of  the  VLAN  via  Access  Control  Lists  (ACL s). Policy-Enabled Edge The  fol lowing  figu[...]

  • Seite 41

    Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In  this  figure  the  NAC  Gatew ay  and  the  other  Enterasys  NAC  components  provide  network  access  control  for  a  network  with  third ‐ party  switches  that  support [...]

  • Seite 42

    Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In  the  intelligent  wi red  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects  to  th[...]

  • Seite 43

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent  edge  on  the  network.  The  Mat rix  N ‐ series  switch  is  capable  of  authenticating  and  authorizing  multiple  devices  connected  to  a  single  port  for  a  vari e t y  of[...]

  • Seite 44

    Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated [...]

  • Seite 45

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In  a  thick  wireless  deployment,  access  points  forward  wirele ss  end ‐ system  traffic  directly  onto  the  wired  infrastructure  without  the  use  of  a  wireless  switch. ?[...]

  • Seite 46

    Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In  the  intelligent  wireless  access  edge  use  scen ario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  conne[...]

  • Seite 47

    Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It  is  important  to  note  that  if  the  wireless  edge  of  the  network  is  non ‐ i ntelligent  and  not  capable  of  authenticating  and  authorizing  wireless  end ‐ systems, ?[...]

  • Seite 48

    Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro[...]

  • Seite 49

    Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In  the  non ‐ intelligent  access  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects ?[...]

  • Seite 50

    Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In  the  VPN  remote  access  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner  with  the  deployment  of  the  NAC  Controller  for ?[...]

  • Seite 51

    Summary Enterasys NAC Design Guide 3 -13 5.  Remediation ‐  When  the  quarantined  end  user  opens  a  web  browser  to  any  web  site,  its  traffic  is  dynamically  redirect ed  to  a  Remediation  web  page  that  describes  the  compliance  violation[...]

  • Seite 52

    Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able[...]

  • Seite 53

    Enterasys NAC Design Guide 4-1 4 Design Planning This  chapter  descri bes  the  steps  yo u  should  take  as  yo u  begin  planning  yo ur  NAC  deployment.  The  first  step  is  to  identify  the  deployment  model  that  best  meets  you r  business  objecti[...]

  • Seite 54

    Survey the Network 4-2 Design Planning access  to  a  web  browser  to  safely  remediate  their  quarantined  end ‐ syst em  without  impacting  IT  operations. Once  a  deployment  model  is  se lected,  the  current  network  infrastructure  must  be  examined  to[...]

  • Seite 55

    Survey the Network Enterasys NAC Design Guide 4-3 The  network  shown  in  Figure 4 ‐ 1  below ,  illustrates  the  following  three  examples  of  how  the  intellig ent  edge  can  be  implemented  in  a  networ k. • Policy ‐ enabled  Enterasys  devices  at  the  [...]

  • Seite 56

    Survey the Network 4-4 Design Planning For  the  inline  implementation  of  the  Enterasys  NAC  solution,  the  NAC  Controller  authenticates  and  authorizes  end ‐ systems  locally  on  the  appliance,  and  does  not  rely  on  the  capabilities  of  downstr[...]

  • Seite 57

    Survey the Network Enterasys NAC Design Guide 4-5 to  locally  authorize  all  MAC  authentication  reque sts  for  connecting  end ‐ systems,  thereby  not  requiring  a  li st  of  known  MAC  addre sses.  In  fact,  Enterasys  NAC  can  be  configur ed  in  a  [...]

  • Seite 58

    Survey the Network 4-6 Design Planning Similar  to  802.1X,  web ‐ based  authentication  requires  the  input  of  credentials  and  is  normally  use d  on  user ‐ centric  end ‐ systems  that  hav e  a  concept  of  an  associated  user ,  such  as  a  PC. [...]

  • Seite 59

    Survey the Network Enterasys NAC Design Guide 4-7 system  at  a  time,  then  it  is  sugg ested  that  MAC  locking  (also  known  as  Po r t  Secu rity)  be  enabled  on  the  edge  switches  to  restrict  the  number  of  connecting  devi ces.  If  multiple[...]

  • Seite 60

    Survey the Network 4-8 Design Planning authenticated  to  the  netw ork  and  interact  with  Enter asys  NAC  for  authenticati on,  assessment,  authorization,  and  remediation.  Note  how ever ,  that  this  configuration  may  not  be  possible  if  trusted  users ?[...]

  • Seite 61

    Survey the Network Enterasys NAC Design Guide 4-9 If  the  network  infrastructure  does  not  contain  intelligent  devices  at  the  edg e  or  distributi on  layer ,  then  inline  NAC  using  the  NAC  Controller  as  the  authorization  point  for  connecting  [...]

  • Seite 62

    Survey the Network 4-10 Design Planning this  case,  the  thick  AP  deployment  falls  into  the  category  of  non ‐ intelligent  ed ge  devices  with  the  same  NAC  implementations  as  a  non ‐ intelligent  wired  edge.  These  non ‐ intelligent  APs  must [...]

  • Seite 63

    Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In  many  enterprise  environments,  a  VPN  concentrator  located  at  the  main  site  connects  to  the  Internet  to  provide  VPN  access  to  remote  users.  In  this  sce[...]

  • Seite 64

    Summary 4-12 Design Planning server .  In  addi tion,  NAC  can  also  be  configured  to  locally  authorize  MA C  authentication  requests. 3. Identify  the  strategic  point  in  the  network  where  end ‐ system  authorization  should  be  implemented.  The  mos[...]

  • Seite 65

    Enterasys NAC Design Guide 5-1 5 Design Procedures This  chapter  descri bes  the  design  procedures  for  Enterasys  NAC  deployment  on  an  ente rprise  network.  The  first  section  discusses  procedures  for  both  out ‐ of ‐ band  and  inline  NAC  deployments. ?[...]

  • Seite 66

    Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y  Manager  is  not  re quired  for  out ‐ of ‐ band  NAC  that  utilizes  RFC  3580 ‐ compliant  switches  (Enterasys  and  third ‐ party  switches).  In  this  case,  a  VLAN  is  specified  in ?[...]

  • Seite 67

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each  Security  Domain  has  a  default  “NAC  configuration”  that  defines  the  authentication,  assessment,  and  authorization  parameters  for  all  end ‐ systems ?[...]

  • Seite 68

    Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The  Authenticati on  settings  define  how  RADIUS  requests  are  handled  for  au thenticating  end ‐ systems  (this  does  not  apply  to  Layer  3  NAC  Controllers.)  This[...]

  • Seite 69

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w  health  results  are  processed. When  an  assessment  is  performed  on  an  end ‐ syste m,  a  “health  result”  is  generated.  For  each  health  result,  there  may  be  sev eral  ?[...]

  • Seite 70

    Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The  following  figure  shows  the  NAC  Manager  window  used  to  create  or  edit  a  NAC  Configuration  and  defi ne  its  authentication,  assessment,  and  a uthorization  attributes. Figure 5-3 NAC Configurati[...]

  • Seite 71

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The  following  table  provides  examples  of  var i o u s  network  scenarios  that  should  be  considered  when  identifyi ng  the  number  and  configuration  of  Sec urity  Domains  in  your  NAC  [...]

  • Seite 72

    Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the[...]

  • Seite 73

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a[...]

  • Seite 74

    Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The  following  table  provides  network  scenarios  from  an  as sessment  standpoint  that  should  be  taken  into  account  when  identifying  the  number  and  configuration  of  Security  Domains. T able 5-2[...]

  • Seite 75

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc[...]

  • Seite 76

    Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC  and  user  overr ides  are  used  to  handle  end ‐ syste ms  that  require  a  different  set  of  authentication,  assessment,  and  authorization  parameters  from  the[...]

  • Seite 77

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The  following  figure  display s  the  windows  used  for  MAC  and  user  override  configura tion  in  NAC  Manager .  Notice  that  either  an  existing  NAC  Config uration  can  be  used  or [...]

  • Seite 78

    Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The  following  table  describes  scenarios  where  a  MAC  ov erride  may  be  configured  for  a  particular  end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev[...]

  • Seite 79

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa[...]

  • Seite 80

    Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A  user  ov erride  lets  you  create  a  configuration  for  a  specific  end  user ,  based  on  the  user  name.  For  example,  you  could  create  a  user  override  that  gives  a [...]

  • Seite 81

    Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager  will  not  match  this  end ‐ system  and  the  end ‐ sy stem  is  assigned  the  Security  Domain’ s  default  NAC  config uration.  In  addition,  the  Layer  3  NAC  Controller  is  not  able [...]

  • Seite 82

    Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When  determining  the  location  of  the  assessme nt  servers  on  th e  network,  the  following  factors  should  be  considered: •T h e  type  of  assessment:  agent ‐ less  or  agen[...]

  • Seite 83

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration  if  the  security  vul nerability  is  considered  a  risk  for  the  organization.  For  more  information  on  Nessus,  ref er  to  http://nessus.org/ . Out-of-Band NAC Design Procedures The  following  [...]

  • Seite 84

    Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The  number  of  NAC  Gatew ays  to  be  depl oyed  on  the  netw ork  is  a  function  of  the  following  parameters: •T h e  number  of  Security  Domains  configured  on  th e[...]

  • Seite 85

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It  is  important  that  the  secondary  NAC  Gatew ay  does  not  exceed  maximum  capacity  if  the  primary  NAC  Gatew ay  fails  on  the  network.  For  example,  let’ s[...]

  • Seite 86

    Out-of-Band NAC Design Procedures 5-22 Design Procedures primary  NAC  Gatew ay ,  the  transition  to  the  secondary  NAC  Gateway  wi ll  not  exceed  maximum  capacity .  To  support  redundancy  within  a  Secu rity  Domain  for  either  approach,  one  addi tional ?[...]

  • Seite 87

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It  is  important  to  not e  that  only  the  NAC  Gateways  that  are  configured  with  remediation  and  registration  functionality  need  to  be  positioned  in  such  a  manner .  All  other  [...]

  • Seite 88

    Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This  step  is  for  NA C  deployments  tha t  use  RFC ‐ 3580 ‐ compliant  switches  in  the  intelligent  edge  of  the  network  to  impl ement  dynamic  VLAN  assignment  of  connecting  devi[...]

  • Seite 89

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously  specified  in  the  NAC  configuration  must  be  def ined  in  NetSight  Pol i c y  Manager  to  ensure  the  consistent  allocation  of  network  resources  to  co nnecting  end ‐ systems. Failsafe [...]

  • Seite 90

    Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The  Assessment  Pol ic y  may  be  used  to  temporarily  allocate  a  set  of  network  resources  to  end ‐ systems  while  they  are  being  ass[...]

  • Seite 91

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note  that  it  is  not  mandatory  to  assign  the  Assessment  Pol i cy  to  a  connecting  end ‐ system  while  it  is  being  assessed.  NAC  can  be  configured  [...]

  • Seite 92

    Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,  the  Quarantine  Po l i c y  and  other  network  infrastructure  devices  must  be  configured  to  implement  HTTP  traffic  redirection  for  quaranti ned  end ‐ systems  to ?[...]

  • Seite 93

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r ,  the  closer  the  NAC  Controller  is  placed  to  the  edge  of  the  network,  the  more  NAC  Controllers  are  required  on  the  netw ork,  increasing  NAC  deployment  cost  and  complex[...]

  • Seite 94

    Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The  number  of  NAC  Controllers  to  be  deploy ed  on  the  network  is  a  function  of  the  following  parameters: •T h e  network  topology . Because  the  NAC  Controller  is [...]

  • Seite 95

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For  a  Layer  3  NAC  Controller ,  redundancy  is  achieved  by  implementing  redundant  Layer  3  NAC  Controllers  on  adjacent,  but  separate  networks  as  shown  in [...]

  • Seite 96

    Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer  2  NAC  Controllers  detect  downs tream  end ‐ systems  via  authentication:  MAC,  web ‐ based,  or  802.1X.  If  we b ‐ based  or  802.1X  authenti cation  is  implemented,  th[...]

  • Seite 97

    Additional Considerations Enterasys NAC Design Guide 5 -33 assessment  server s  to  reach  the  end ‐ system  while  it  is  being  assessed,  regardless  of  whether  the  Assessing  policy ,  Enterprise  User  policy ,  or  any  other  policy  ro le  is  utilized [...]

  • Seite 98

    Additional Considerations 5-34 Design Procedures[...]