Enterasys 9034385 manuel d'utilisation

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

Aller à la page of

Un bon manuel d’utilisation

Les règles imposent au revendeur l'obligation de fournir à l'acheteur, avec des marchandises, le manuel d’utilisation Enterasys 9034385. Le manque du manuel d’utilisation ou les informations incorrectes fournies au consommateur sont à la base d'une plainte pour non-conformité du dispositif avec le contrat. Conformément à la loi, l’inclusion du manuel d’utilisation sous une forme autre que le papier est autorisée, ce qui est souvent utilisé récemment, en incluant la forme graphique ou électronique du manuel Enterasys 9034385 ou les vidéos d'instruction pour les utilisateurs. La condition est son caractère lisible et compréhensible.

Qu'est ce que le manuel d’utilisation?

Le mot vient du latin "Instructio", à savoir organiser. Ainsi, le manuel d’utilisation Enterasys 9034385 décrit les étapes de la procédure. Le but du manuel d’utilisation est d’instruire, de faciliter le démarrage, l'utilisation de l'équipement ou l'exécution des actions spécifiques. Le manuel d’utilisation est une collection d'informations sur l'objet/service, une indice.

Malheureusement, peu d'utilisateurs prennent le temps de lire le manuel d’utilisation, et un bon manuel permet non seulement d’apprendre à connaître un certain nombre de fonctionnalités supplémentaires du dispositif acheté, mais aussi éviter la majorité des défaillances.

Donc, ce qui devrait contenir le manuel parfait?

Tout d'abord, le manuel d’utilisation Enterasys 9034385 devrait contenir:
- informations sur les caractéristiques techniques du dispositif Enterasys 9034385
- nom du fabricant et année de fabrication Enterasys 9034385
- instructions d'utilisation, de réglage et d’entretien de l'équipement Enterasys 9034385
- signes de sécurité et attestations confirmant la conformité avec les normes pertinentes

Pourquoi nous ne lisons pas les manuels d’utilisation?

Habituellement, cela est dû au manque de temps et de certitude quant à la fonctionnalité spécifique de l'équipement acheté. Malheureusement, la connexion et le démarrage Enterasys 9034385 ne suffisent pas. Le manuel d’utilisation contient un certain nombre de lignes directrices concernant les fonctionnalités spécifiques, la sécurité, les méthodes d'entretien (même les moyens qui doivent être utilisés), les défauts possibles Enterasys 9034385 et les moyens de résoudre des problèmes communs lors de l'utilisation. Enfin, le manuel contient les coordonnées du service Enterasys en l'absence de l'efficacité des solutions proposées. Actuellement, les manuels d’utilisation sous la forme d'animations intéressantes et de vidéos pédagogiques qui sont meilleurs que la brochure, sont très populaires. Ce type de manuel permet à l'utilisateur de voir toute la vidéo d'instruction sans sauter les spécifications et les descriptions techniques compliquées Enterasys 9034385, comme c’est le cas pour la version papier.

Pourquoi lire le manuel d’utilisation?

Tout d'abord, il contient la réponse sur la structure, les possibilités du dispositif Enterasys 9034385, l'utilisation de divers accessoires et une gamme d'informations pour profiter pleinement de toutes les fonctionnalités et commodités.

Après un achat réussi de l’équipement/dispositif, prenez un moment pour vous familiariser avec toutes les parties du manuel d'utilisation Enterasys 9034385. À l'heure actuelle, ils sont soigneusement préparés et traduits pour qu'ils soient non seulement compréhensibles pour les utilisateurs, mais pour qu’ils remplissent leur fonction de base de l'information et d’aide.

Table des matières du manuel d’utilisation

  • Page 1

    Enterasys ® Network Access Control Design Guide P/N 9034385[...]

  • Page 2

    [...]

  • Page 3

    i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specifications  and  other  information  contained  in  this  document  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  co nsult  Enterasys Netw orks [...]

  • Page 4

    ii[...]

  • Page 5

    iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ [...]

  • Page 6

    iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ............. ............ ................. ............. ............ ............. .......... ................ ..... 3-2 RFC [...]

  • Page 7

    v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........... ................ ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loc[...]

  • Page 8

    vi[...]

  • Page 9

    Enterasys NAC Design Gu ide vii About This Guide The  NAC  Design  Guide  describes  the  technical  considerations  for  the  planning  and  design  of  the  Enterasys  Netw ork  Access  Contr ol  (NAC)  solution.  The  guide  includes  the  following  information: Inten[...]

  • Page 10

    Getting Help viii About This Guide •E n t e r a s y s  NA C  Manager  Online  Help.  Explains  how  to  use  NAC  Manager  to  configure  you r  NAC  appliances,  and  to  put  in  place  authenti cation  and  assessment  requirements  for  the  end ‐ systems  a[...]

  • Page 11

    Enterasys NAC Design Guide 1-1 1 Overview This  chapter  provides  an  overview  of  the  Enterasys  Network  Access  Control  (NAC)  solution,  including  a  descripti on  of  key  NAC  functions  and  deployment  models.  It  also  introd uces  the  required  and [...]

  • Page 12

    NAC Solution Overview 1-2 Overview Assessment Determine  if  th e  device  complies  with  corporate  security  and  configuration  requirements,  such  as  operating  system  patch  revision  levels  and  anti virus  signature  definitions.  Other  security  compliance  req[...]

  • Page 13

    NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This  NAC  deployment  model  implements  the  detection  piece  of  NAC  functionality .  It  supports  the  ability  to  track  users  and  end ‐ sys tems  over  time  by  identify[...]

  • Page 14

    NAC Solution Components 1-4 Overview NAC Solution Component s This  section  discusses  the  required  and  optional  components  of  the  Enterasys  NAC  solution,  beginning  with  the  following  table  that  summarizes  the  component  requirements  for  each  of  the[...]

  • Page 15

    NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys  offers  two  types  of  NA C  appliances:  the  NAC  Gatew ay  appliance  implements  out ‐ of ‐ band  network  access  control,  and  the  NAC  Controller  appliance  implements  inline  network  access  [...]

  • Page 16

    NAC Solution Components 1-6 Overview of  supporting  authentication  and/or  authorization.  The  NAC  Controller  is  also  required  in  IPSec  and  SSL  VPN  deployments.  The  NAC  Controller  provides  integrated  vulnerability  assessment  serv er  functionality  an[...]

  • Page 17

    NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The  following  table  compares  how  the  two  NA C  appliance  types  implement  the  five  NAC  functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio[...]

  • Page 18

    NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3  outlines  the  advantages  and  disadv antages  of  the  two  appliance  types  as  they  pertain  to  network  securi ty ,  scalabilit y ,  and  configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadvant[...]

  • Page 19

    NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The  NAC  appliances  are  configured,  monit ored,  and  managed  through  management  applications  within  the  Enterasys  NetSight  Suite.  Net Sight  is  a  family  of  products  comprised  of  NetS[...]

  • Page 20

    Summary 1-10 Overview NetSight Console NetSight  Console  is  used  to  monitor  the  health  and  status  of  infrastructure  devices  in  the  netw ork,  including  switches,  routers,  Enterasys  NAC  appliances  (NAC  Gatew ays  and  NAC  Controllers)  as  wel l[...]

  • Page 21

    Summary Enterasys NAC Design Guide 1 -11 •M o d e l  3:  End ‐ Syst em  Authorization  with  Assessment ‐ Implements  detection ,  authentication ,  assessment ,  and  authorization  to  provide  network  access  control  based  on  the  security  posture  of  a  conne[...]

  • Page 22

    Summary 1-12 Overview[...]

  • Page 23

    Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This  chapter  descri bes  the  four  NAC  deployment  models  and  how  they  build  on  each  other  to  provide  a  complete  NAC  solution.  The  first  model  imple ments  a  subset  of  the  fiv e  k[...]

  • Page 24

    Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS  Access ‐ Accept  or  Access ‐ Reject  message  received  from  the  upstream  RADIUS  server ,  is  returned  without  modification  to  the  access  edge  switch,  to  permit  end ‐ system  access [...]

  • Page 25

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and  information  on  the  network.  Enteras ys  NAC  can  be  leveraged  to  provide  information  to  SIM  solutions,  by  mapping  an  IP  address  to  an  identity ,  such  as  a  MAC  address  [...]

  • Page 26

    Model 2: End-System Authorization 2-4 NAC Deployment Models device  ide ntity ,  us er  identity ,  and/or  location  information  is  used  to  authorize  the  connecting  end ‐ system  with  a  certain  level  of  netw ork  access.  It  is  important  to  note  that ?[...]

  • Page 27

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The  NAC  Controller  may  eithe r  deny  the  end ‐ system  access  to  the  network  or  assign  the  end ‐ system  to  a  particular  set  of  networ k  reso urces  by  specifying  a  particular  p[...]

  • Page 28

    Model 2: End-System Authorization 2-6 NAC Deployment Models is  only  provisioned  by  the  Enterasys  NAC  sol ution  when  the  devices  connect  to  switches  in  the  Network  Operations  Center  (NOC).  This  level  of  granularity  in  provisioning  access  to ?[...]

  • Page 29

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a  password  in  the  registration  web  page.  This  sponsor  username  and  passw ord  can  be  va l i d a te d  agai nst  an  existing  database  on  the  netw ork  to  authentica te  the  sponsor ʹ s  i[...]

  • Page 30

    Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A  RADIUS  serv er  is  only  required  if  out ‐ of ‐ band  netw ork  access  control  using  the  NAC  Gatewa y ,  or  inline  netw ork  access  control  using  the  Layer  2  NAC  Co ntroller [...]

  • Page 31

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server  is  running  or  if  the  HTTP  server  is  out ‐ of ‐ date)  and  client ‐ side  checks  (run ning  applications,  softw are  configurations,  instal led  operating  system  patches)  provide[...]

  • Page 32

    Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In  addition  to  the  features  and  val u e s  found  in  Model  1  and  Model  2,  the  following  are  key  pieces  of  functionality  and  va lu e  propositions  supported  [...]

  • Page 33

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n  configuration The  NAC  solution  can  determine  which  services  and  applications  are  installed  and  enabled  on  the  end ‐ system.  Certain  applications  should  be  r[...]

  • Page 34

    Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This  section  summarizes  the  required  and  optional  components  for  Mod el  3. . The  NAC  Gatew ay  and  NAC  Controller  are  the  NAC  appliances  used ?[...]

  • Page 35

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted  remediation  informs  end  users  when  their  end ‐ systems  have  been  quarantin ed  due  to  network  securi ty  policy  non ‐ compliance,  and  allows  end  users  to ?[...]

  • Page 36

    Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For  inline  Enterasys  NAC  deployments  utilizing  the  Lay er  2  or  Layer  3  NAC  Controller ,  the  NAC  functions  are  implemented  in  the  following  way : Detection [...]

  • Page 37

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic  with  specific  source  and  destination  cha racteristics  as  well  as  specific  app lication  identifiers  (UDP/TCP  ports).  In  addi tion,  the  Enterasys  NAC  solution  w[...]

  • Page 38

    Summary 2-16 NAC Deployment Models Summary Enterasys  supports  all  of  the  five  key  NAC  functions:  detection,  authentication,  assessment,  authorization,  and  remediation.  Howev er ,  not  all  fiv e  functions  need  to  be  implemented  concurrently  in  a ?[...]

  • Page 39

    Enterasys NAC Design Guide 3-1 3 Use Scenarios This  chapter  describes  four  NAC  use  scenarios  that  illustrate  how  the  type  of  NAC  deployment  is  directly  dependent  on  the  infrastructure  devices  deployed  in  the  netw ork.  For  some  network [...]

  • Page 40

    Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within  the  same  Quarantine  VLAN  because  the  authorization  point  is  usually  implemented  at  the  exit  point  of  the  VLAN  via  Access  Control  Lists  (ACL s). Policy-Enabled Edge The  fol lowing  figu[...]

  • Page 41

    Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In  this  figure  the  NAC  Gatew ay  and  the  other  Enterasys  NAC  components  provide  network  access  control  for  a  network  with  third ‐ party  switches  that  support [...]

  • Page 42

    Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In  the  intelligent  wi red  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects  to  th[...]

  • Page 43

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent  edge  on  the  network.  The  Mat rix  N ‐ series  switch  is  capable  of  authenticating  and  authorizing  multiple  devices  connected  to  a  single  port  for  a  vari e t y  of[...]

  • Page 44

    Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated [...]

  • Page 45

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In  a  thick  wireless  deployment,  access  points  forward  wirele ss  end ‐ system  traffic  directly  onto  the  wired  infrastructure  without  the  use  of  a  wireless  switch. ?[...]

  • Page 46

    Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In  the  intelligent  wireless  access  edge  use  scen ario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  conne[...]

  • Page 47

    Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It  is  important  to  note  that  if  the  wireless  edge  of  the  network  is  non ‐ i ntelligent  and  not  capable  of  authenticating  and  authorizing  wireless  end ‐ systems, ?[...]

  • Page 48

    Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro[...]

  • Page 49

    Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In  the  non ‐ intelligent  access  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects ?[...]

  • Page 50

    Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In  the  VPN  remote  access  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner  with  the  deployment  of  the  NAC  Controller  for ?[...]

  • Page 51

    Summary Enterasys NAC Design Guide 3 -13 5.  Remediation ‐  When  the  quarantined  end  user  opens  a  web  browser  to  any  web  site,  its  traffic  is  dynamically  redirect ed  to  a  Remediation  web  page  that  describes  the  compliance  violation[...]

  • Page 52

    Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able[...]

  • Page 53

    Enterasys NAC Design Guide 4-1 4 Design Planning This  chapter  descri bes  the  steps  yo u  should  take  as  yo u  begin  planning  yo ur  NAC  deployment.  The  first  step  is  to  identify  the  deployment  model  that  best  meets  you r  business  objecti[...]

  • Page 54

    Survey the Network 4-2 Design Planning access  to  a  web  browser  to  safely  remediate  their  quarantined  end ‐ syst em  without  impacting  IT  operations. Once  a  deployment  model  is  se lected,  the  current  network  infrastructure  must  be  examined  to[...]

  • Page 55

    Survey the Network Enterasys NAC Design Guide 4-3 The  network  shown  in  Figure 4 ‐ 1  below ,  illustrates  the  following  three  examples  of  how  the  intellig ent  edge  can  be  implemented  in  a  networ k. • Policy ‐ enabled  Enterasys  devices  at  the  [...]

  • Page 56

    Survey the Network 4-4 Design Planning For  the  inline  implementation  of  the  Enterasys  NAC  solution,  the  NAC  Controller  authenticates  and  authorizes  end ‐ systems  locally  on  the  appliance,  and  does  not  rely  on  the  capabilities  of  downstr[...]

  • Page 57

    Survey the Network Enterasys NAC Design Guide 4-5 to  locally  authorize  all  MAC  authentication  reque sts  for  connecting  end ‐ systems,  thereby  not  requiring  a  li st  of  known  MAC  addre sses.  In  fact,  Enterasys  NAC  can  be  configur ed  in  a  [...]

  • Page 58

    Survey the Network 4-6 Design Planning Similar  to  802.1X,  web ‐ based  authentication  requires  the  input  of  credentials  and  is  normally  use d  on  user ‐ centric  end ‐ systems  that  hav e  a  concept  of  an  associated  user ,  such  as  a  PC. [...]

  • Page 59

    Survey the Network Enterasys NAC Design Guide 4-7 system  at  a  time,  then  it  is  sugg ested  that  MAC  locking  (also  known  as  Po r t  Secu rity)  be  enabled  on  the  edge  switches  to  restrict  the  number  of  connecting  devi ces.  If  multiple[...]

  • Page 60

    Survey the Network 4-8 Design Planning authenticated  to  the  netw ork  and  interact  with  Enter asys  NAC  for  authenticati on,  assessment,  authorization,  and  remediation.  Note  how ever ,  that  this  configuration  may  not  be  possible  if  trusted  users ?[...]

  • Page 61

    Survey the Network Enterasys NAC Design Guide 4-9 If  the  network  infrastructure  does  not  contain  intelligent  devices  at  the  edg e  or  distributi on  layer ,  then  inline  NAC  using  the  NAC  Controller  as  the  authorization  point  for  connecting  [...]

  • Page 62

    Survey the Network 4-10 Design Planning this  case,  the  thick  AP  deployment  falls  into  the  category  of  non ‐ intelligent  ed ge  devices  with  the  same  NAC  implementations  as  a  non ‐ intelligent  wired  edge.  These  non ‐ intelligent  APs  must [...]

  • Page 63

    Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In  many  enterprise  environments,  a  VPN  concentrator  located  at  the  main  site  connects  to  the  Internet  to  provide  VPN  access  to  remote  users.  In  this  sce[...]

  • Page 64

    Summary 4-12 Design Planning server .  In  addi tion,  NAC  can  also  be  configured  to  locally  authorize  MA C  authentication  requests. 3. Identify  the  strategic  point  in  the  network  where  end ‐ system  authorization  should  be  implemented.  The  mos[...]

  • Page 65

    Enterasys NAC Design Guide 5-1 5 Design Procedures This  chapter  descri bes  the  design  procedures  for  Enterasys  NAC  deployment  on  an  ente rprise  network.  The  first  section  discusses  procedures  for  both  out ‐ of ‐ band  and  inline  NAC  deployments. ?[...]

  • Page 66

    Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y  Manager  is  not  re quired  for  out ‐ of ‐ band  NAC  that  utilizes  RFC  3580 ‐ compliant  switches  (Enterasys  and  third ‐ party  switches).  In  this  case,  a  VLAN  is  specified  in ?[...]

  • Page 67

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each  Security  Domain  has  a  default  “NAC  configuration”  that  defines  the  authentication,  assessment,  and  authorization  parameters  for  all  end ‐ systems ?[...]

  • Page 68

    Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The  Authenticati on  settings  define  how  RADIUS  requests  are  handled  for  au thenticating  end ‐ systems  (this  does  not  apply  to  Layer  3  NAC  Controllers.)  This[...]

  • Page 69

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w  health  results  are  processed. When  an  assessment  is  performed  on  an  end ‐ syste m,  a  “health  result”  is  generated.  For  each  health  result,  there  may  be  sev eral  ?[...]

  • Page 70

    Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The  following  figure  shows  the  NAC  Manager  window  used  to  create  or  edit  a  NAC  Configuration  and  defi ne  its  authentication,  assessment,  and  a uthorization  attributes. Figure 5-3 NAC Configurati[...]

  • Page 71

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The  following  table  provides  examples  of  var i o u s  network  scenarios  that  should  be  considered  when  identifyi ng  the  number  and  configuration  of  Sec urity  Domains  in  your  NAC  [...]

  • Page 72

    Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the[...]

  • Page 73

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a[...]

  • Page 74

    Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The  following  table  provides  network  scenarios  from  an  as sessment  standpoint  that  should  be  taken  into  account  when  identifying  the  number  and  configuration  of  Security  Domains. T able 5-2[...]

  • Page 75

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc[...]

  • Page 76

    Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC  and  user  overr ides  are  used  to  handle  end ‐ syste ms  that  require  a  different  set  of  authentication,  assessment,  and  authorization  parameters  from  the[...]

  • Page 77

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The  following  figure  display s  the  windows  used  for  MAC  and  user  override  configura tion  in  NAC  Manager .  Notice  that  either  an  existing  NAC  Config uration  can  be  used  or [...]

  • Page 78

    Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The  following  table  describes  scenarios  where  a  MAC  ov erride  may  be  configured  for  a  particular  end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev[...]

  • Page 79

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa[...]

  • Page 80

    Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A  user  ov erride  lets  you  create  a  configuration  for  a  specific  end  user ,  based  on  the  user  name.  For  example,  you  could  create  a  user  override  that  gives  a [...]

  • Page 81

    Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager  will  not  match  this  end ‐ system  and  the  end ‐ sy stem  is  assigned  the  Security  Domain’ s  default  NAC  config uration.  In  addition,  the  Layer  3  NAC  Controller  is  not  able [...]

  • Page 82

    Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When  determining  the  location  of  the  assessme nt  servers  on  th e  network,  the  following  factors  should  be  considered: •T h e  type  of  assessment:  agent ‐ less  or  agen[...]

  • Page 83

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration  if  the  security  vul nerability  is  considered  a  risk  for  the  organization.  For  more  information  on  Nessus,  ref er  to  http://nessus.org/ . Out-of-Band NAC Design Procedures The  following  [...]

  • Page 84

    Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The  number  of  NAC  Gatew ays  to  be  depl oyed  on  the  netw ork  is  a  function  of  the  following  parameters: •T h e  number  of  Security  Domains  configured  on  th e[...]

  • Page 85

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It  is  important  that  the  secondary  NAC  Gatew ay  does  not  exceed  maximum  capacity  if  the  primary  NAC  Gatew ay  fails  on  the  network.  For  example,  let’ s[...]

  • Page 86

    Out-of-Band NAC Design Procedures 5-22 Design Procedures primary  NAC  Gatew ay ,  the  transition  to  the  secondary  NAC  Gateway  wi ll  not  exceed  maximum  capacity .  To  support  redundancy  within  a  Secu rity  Domain  for  either  approach,  one  addi tional ?[...]

  • Page 87

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It  is  important  to  not e  that  only  the  NAC  Gateways  that  are  configured  with  remediation  and  registration  functionality  need  to  be  positioned  in  such  a  manner .  All  other  [...]

  • Page 88

    Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This  step  is  for  NA C  deployments  tha t  use  RFC ‐ 3580 ‐ compliant  switches  in  the  intelligent  edge  of  the  network  to  impl ement  dynamic  VLAN  assignment  of  connecting  devi[...]

  • Page 89

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously  specified  in  the  NAC  configuration  must  be  def ined  in  NetSight  Pol i c y  Manager  to  ensure  the  consistent  allocation  of  network  resources  to  co nnecting  end ‐ systems. Failsafe [...]

  • Page 90

    Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The  Assessment  Pol ic y  may  be  used  to  temporarily  allocate  a  set  of  network  resources  to  end ‐ systems  while  they  are  being  ass[...]

  • Page 91

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note  that  it  is  not  mandatory  to  assign  the  Assessment  Pol i cy  to  a  connecting  end ‐ system  while  it  is  being  assessed.  NAC  can  be  configured  [...]

  • Page 92

    Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,  the  Quarantine  Po l i c y  and  other  network  infrastructure  devices  must  be  configured  to  implement  HTTP  traffic  redirection  for  quaranti ned  end ‐ systems  to ?[...]

  • Page 93

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r ,  the  closer  the  NAC  Controller  is  placed  to  the  edge  of  the  network,  the  more  NAC  Controllers  are  required  on  the  netw ork,  increasing  NAC  deployment  cost  and  complex[...]

  • Page 94

    Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The  number  of  NAC  Controllers  to  be  deploy ed  on  the  network  is  a  function  of  the  following  parameters: •T h e  network  topology . Because  the  NAC  Controller  is [...]

  • Page 95

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For  a  Layer  3  NAC  Controller ,  redundancy  is  achieved  by  implementing  redundant  Layer  3  NAC  Controllers  on  adjacent,  but  separate  networks  as  shown  in [...]

  • Page 96

    Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer  2  NAC  Controllers  detect  downs tream  end ‐ systems  via  authentication:  MAC,  web ‐ based,  or  802.1X.  If  we b ‐ based  or  802.1X  authenti cation  is  implemented,  th[...]

  • Page 97

    Additional Considerations Enterasys NAC Design Guide 5 -33 assessment  server s  to  reach  the  end ‐ system  while  it  is  being  assessed,  regardless  of  whether  the  Assessing  policy ,  Enterprise  User  policy ,  or  any  other  policy  ro le  is  utilized [...]

  • Page 98

    Additional Considerations 5-34 Design Procedures[...]