Enterasys Networks 9034385 Model 2 End-System Authorization, Required and Optional Components

Page 25

Model 2: End-System Authorization

and information on the network. Enterasys NAC can be leveraged to provide information to SIM solutions, by mapping an IP address to an identity, such as a MAC address or username and location, for a more complete representation of the attack source or target on the network. In this way, the Enterasys NAC solution further enhances the operation of existing security technologies deployed on the network.

Required and Optional Components

This section summarizes the required and optional components for Model 1.

.

Table 2-1 Component Requirements for Detection and Tracking

Component

Detection and

Tracking

 

 

 

NAC Appliance

Required

 

 

NetSight NAC Manager

Required

 

 

NetSight Console

Required

 

 

Assessment

Optional

 

 

RADIUS Server

Optional

 

 

NetSight Policy Manager

Optional

 

 

NetSight Inventory Manager

Optional

 

 

The NAC Gateway and NAC Controller are the NAC appliances used to implement the out‐of‐ band and inline network access control functionality on the network.

NetSight NAC Manager is the software application used to centrally manage the NAC appliances deployed on the network.

NetSight Console is the software application used to monitor the health and status of infrastructure devices in the network, including switches, routers, and Enterasys NAC appliances (NAC Gateways and NAC Controllers).

Assessment functionality is optional because in this deployment model, end‐systems are not being assessed for security posture compliance when connecting to the network.

A RADIUS server is only required if out‐of‐band network access control using the NAC Gateway, or inline network access control using the Layer 2 NAC Controller, is implemented with web‐ based and/or 802.1X authentication.

NetSight Policy Manager is not required because additional policies and authorization levels do not need to be defined for this deployment model.

NetSight Inventory Manager is an optional component, providing comprehensive network inventory and change management capabilities.

Model 2: End-System Authorization

This NAC deployment model implements the detection, authentication, and authorization of connecting end‐systems, to control access to network resources based on user and end‐system identity, as well as location. In Model 1, end‐systems and end users are detected and tracked on the network over time. This gives IT operations visibility into what devices are connected to the network, who is using these devices, and where these devices are connected. In model 2, the

Enterasys NAC Design Guide 2-3

Page 24 Page 26
Image 25
Page 24 Page 26
Contents Enterasys Page Page Page Contents Use Scenarios Design ProceduresDesign Planning Tables FiguresPage Related Documents Intended AudienceSupport@enterasys.com Getting HelpAuthentication NAC Solution OverviewKey Functionality DetectionDeployment Models AuthorizationAssessment RemediationModel 3 End-System Authorization with Assessment Model 2 End-System AuthorizationModel 1 End-system Detection and Tracking NAC Appliance NAC Solution ComponentsNAC Controller Appliance NAC Gateway ApplianceNAC Controller is available in two models NAC Gateway NAC Controller Appliance ComparisonDisadvantage Advantage NetSight NAC Manager NetSight ManagementRadius Server SummaryAssessment Server Summary Summary Overview Implementation Model 1 End-System Detection and TrackingOut-of-Band NAC Inline NAC Layer Features and ValueEnd-System and User Tracking Required and Optional Components Model 2 End-System AuthorizationInline NAC Device-Based Authorization Location-Based AuthorizationMAC Registration User-Based AuthorizationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Use Scenarios Scenario 1 Intelligent Wired Access EdgeNAC Functions Policy-Enabled EdgeVLAN=Production RFC 3580 Capable EdgeScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation VPN Remote Access EnterasysUse Scenario Summaries Summary and Appliance Requirements VPN remote access Identify the NAC Deployment Model Design PlanningIdentify the Intelligent Edge of the Network Survey the NetworkNetwork with Intelligent Edge Case #1 No authentication method is deployed on the network Evaluate Policy/VLAN and Authentication ConfigurationOverview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkEnd-System Capabilities Support of Multiple Authentication MethodsSupport for Multiple End-System Connection Authentication Considerations Authentication Support on Enterasys DevicesIdentify the Strategic Point for End-System Authorization Wireless LAN Wired LANThick Wireless Deployments Identify Network Connection MethodsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Identify Required NetSight Applications Procedures for Out-of-Band and Inline NACDefine Network Security Domains Security Domain NAC ConfigurationsNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment MAC Overrides Identify Required MAC and User OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Determine the Number of Assessment Servers Assessment Design ProceduresDetermine Assessment Server Location Identify Assessment Server ConfigurationIdentify Network Authentication Configuration Out-of-Band NAC Design ProceduresDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Determine End-System Mobility Restrictions Identify Backend Radius Server InteractionPolicy Role Configuration Vlan ConfigurationDefine NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Service for the Assessing RoleDetermine NAC Controller Location Inline NAC Design ProceduresUnregistered Policy Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration NAC Deployment With an Intrusion Detection System IDS Additional ConsiderationsNAC Deployment With NetSight ASM Additional Considerations Design Procedures
Top Page Image Contents