Enterasys Networks 9034385 manual Model 1 End-system Detection and Tracking

Page 13

NAC Solution Overview

Model 1: End-system Detection and Tracking

This NAC deployment model implements the detection piece of NAC functionality. It supports the ability to track users and end‐systems over time by identifying where they are currently connected to the network and where they have connected to the network at any given time in the past. This information is useful for compliance and auditing purposes, as well as other management operations that require complete visibility into the current and historical connections of end‐ systems and users.

Model 2: End-System Authorization

This NAC deployment model implements the detection, authentication, and authorization NAC functionalities, to control access to network resources based on user and end‐system identity and location. The model supports MAC address or guest registration, where new end‐systems are forced to provide a valid user identity in a web page form before being allowed access to the network. Following successful registration, end‐systems are granted measured access, without requiring the intervention of network operations.

Model 3: End-System Authorization with Assessment

This NAC deployment model implements the detection, authentication, assessment, and authorization NAC functionalities, to control access to network resources based on the security posture of a connecting end‐system, as well as user and device identity and location. End‐systems that fail assessment can be dynamically quarantined with restrictive network access to mitigate the propagation of security threats on the network, while compliant end‐systems are permitted onto the network with a measured level of access.

Alternatively, specific end‐systems and users can be assessed upon network connection and be permitted network access regardless of the assessment results. This approach allows an IT administrator to have visibility into the configuration of end devices on the network without impacting their network connectivity during or after assessment. This approach is usually implemented during the initial rollout of the NAC solution for baselining purposes.

This NAC deployment model requires the use of either integrated assessment server functionality or the ability to connect to external assessment services, in order to execute the end‐system vulnerability assessment.

Model 4: End-System Authorization with Assessment and Remediation

This NAC deployment model implements the detection, authentication, assessment, authorization, and remediation NAC functionalities, providing for the quarantine and remediation of noncompliant devices. Assisted remediation uses web‐based notification to dynamically inform quarantined end‐systems of security compliance violations, and allow end users to safely remediate their quarantined end‐system without impacting IT operations.

Enterasys NAC Design Guide 1-3

Page 12 Page 14
Image 13
Page 12 Page 14
Contents Enterasys Page Page Page Contents Use Scenarios Design ProceduresDesign Planning Tables FiguresPage Related Documents Intended Audience Support@enterasys.com Getting HelpAuthentication NAC Solution OverviewKey Functionality DetectionDeployment Models AuthorizationAssessment RemediationModel 3 End-System Authorization with Assessment Model 2 End-System AuthorizationModel 1 End-system Detection and Tracking NAC Appliance NAC Solution ComponentsNAC Controller Appliance NAC Gateway ApplianceNAC Controller is available in two models NAC Gateway NAC Controller Appliance ComparisonDisadvantage Advantage NetSight NAC Manager NetSight ManagementRadius Server SummaryAssessment Server Summary Summary Overview Implementation Model 1 End-System Detection and TrackingOut-of-Band NAC Inline NAC Layer Features and ValueEnd-System and User Tracking Required and Optional Components Model 2 End-System AuthorizationInline NAC Device-Based Authorization Location-Based AuthorizationMAC Registration User-Based AuthorizationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Use Scenarios Scenario 1 Intelligent Wired Access EdgeNAC Functions Policy-Enabled EdgeVLAN=Production RFC 3580 Capable EdgeScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation VPN Remote Access EnterasysUse Scenario Summaries Summary and Appliance Requirements VPN remote access Identify the NAC Deployment Model Design PlanningIdentify the Intelligent Edge of the Network Survey the NetworkNetwork with Intelligent Edge Case #1 No authentication method is deployed on the network Evaluate Policy/VLAN and Authentication ConfigurationOverview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkEnd-System Capabilities Support of Multiple Authentication MethodsSupport for Multiple End-System Connection Authentication Considerations Authentication Support on Enterasys DevicesIdentify the Strategic Point for End-System Authorization Wireless LAN Wired LANThick Wireless Deployments Identify Network Connection MethodsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Identify Required NetSight Applications Procedures for Out-of-Band and Inline NACDefine Network Security Domains Security Domain NAC ConfigurationsNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment MAC Overrides Identify Required MAC and User OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Determine the Number of Assessment Servers Assessment Design ProceduresDetermine Assessment Server Location Identify Assessment Server ConfigurationIdentify Network Authentication Configuration Out-of-Band NAC Design ProceduresDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Determine End-System Mobility Restrictions Identify Backend Radius Server InteractionPolicy Role Configuration Vlan ConfigurationDefine NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Service for the Assessing RoleDetermine NAC Controller Location Inline NAC Design ProceduresUnregistered Policy Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration NAC Deployment With an Intrusion Detection System IDS Additional ConsiderationsNAC Deployment With NetSight ASM Additional Considerations Design Procedures
Top Page Image Contents