Enterasys Networks 9034385 manual Location-Based Authorization, Device-Based Authorization

Page 27

Model 2: End-System Authorization

The NAC Controller may either deny the end‐system access to the network or assign the end‐ system to a particular set of network resources by specifying a particular policy.

Features and Value

In addition to the features and values found in Model 1, the following are key pieces of functionality and value propositions supported by Model 2, End‐System Authorization:

Location-Based Authorization

In addition to providing visibility into who, what, when, and where devices and users are connecting to the network, this deployment model allows IT operations to control access to the network with different levels of authorization based on these parameters. For location‐ based authorization, the Enterasys NAC solution can assign a level of access to a connecting end user or device based on which area of the network the end‐system is connected, through the configuration of Security Domains. For example, when an engineer connects to the network from a controlled area of the network such as the lab, or a faculty member connects to the network from a physically secured faculty office, the engineer and faculty member are appropriately authorized to access sensitive information residing on internal servers. However, if the same users connect to the network from an unsecured area of the network such as the open wireless LAN available in the enterpriseʹs lobby or campus, or in a student dormitory, then these end‐systems can be authorized with a different level of network access, possibly restricting communication to the internal servers and other resources on the network.

Furthermore, the NAC solution can also lock a device to a specific switch or switch port, using the “Lock MAC” feature. If the device is moved to any other switch port on the network, it will not be able to connect. For example, a printer or a server containing sensitive data may be connected to the network at a specific location, such as behind a firewall or on a particular VLAN for security reasons. Physically moving the connection of these devices to an open area of the network increases the risk of these devices being attacked and compromised because they would no longer be protected by the security mechanisms that were put in place on the network. The “Lock MAC” feature can be used to limit the mobility of specific devices and avoid malicious or unintentional misconfigurations on the network, thereby reducing risk.

Device-Based Authorization

With this NAC deployment model, end‐systems are authorized with access to a specific set of network resources based on the end‐systemʹs MAC address. For initial implementation, the Enterasys NAC solution is configured in a mode where all MAC addresses of connecting end‐ systems are permitted onto the network and dynamically learned. The Enterasys NAC solution is then configured to allow only known MAC addresses onto the network, assigning each end‐system a particular authorization level. Any new MAC address connecting to the network is assigned a different authorization level, such as denied access, restricted access, or allowed access if the user is able to properly register their device to the network.

The Enterasys NAC solution is able to authorize specific devices or classes of devices (based on MAC address OUI prefix) with access to a specific set of network resources through the configuration of MAC overrides. For example, an end‐system that is known to be infected with a worm, a publicly accessible machine, or a machine belonging to guest user may be authorized with a restrictive set of network resources or completely denied network access, regardless of where and when this device connects. In contrast, an end‐system belonging to the IT operations group may be permitted unrestricted access to network resources for infrastructure troubleshooting and maintenance purposes, regardless of where and when the device connects to the network. If you add location‐based authorization (as discussed above) to this example, then unrestricted access for end‐systems belonging to the IT operations group

Enterasys NAC Design Guide 2-5

Page 26 Page 28
Image 27
Page 26 Page 28
Contents Enterasys Page Page Page Contents Design Procedures Use ScenariosDesign Planning Tables FiguresPage Related Documents Intended AudienceSupport@enterasys.com Getting HelpDetection NAC Solution OverviewAuthentication Key FunctionalityRemediation AuthorizationDeployment Models AssessmentModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 1 End-system Detection and Tracking NAC Appliance NAC Solution ComponentsNAC Controller Appliance NAC Gateway ApplianceNAC Controller is available in two models NAC Gateway NAC Controller Appliance ComparisonDisadvantage Advantage NetSight NAC Manager NetSight ManagementSummary Radius ServerAssessment Server Summary Summary Overview Model 1 End-System Detection and Tracking ImplementationOut-of-Band NAC Features and Value Inline NAC LayerEnd-System and User Tracking Required and Optional Components Model 2 End-System AuthorizationInline NAC Device-Based Authorization Location-Based AuthorizationMAC Registration User-Based AuthorizationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Use Scenarios Scenario 1 Intelligent Wired Access EdgeNAC Functions Policy-Enabled EdgeVLAN=Production RFC 3580 Capable EdgeScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation VPN Remote Access EnterasysUse Scenario Summaries Summary and Appliance Requirements VPN remote access Identify the NAC Deployment Model Design PlanningIdentify the Intelligent Edge of the Network Survey the NetworkNetwork with Intelligent Edge Case #1 No authentication method is deployed on the network Evaluate Policy/VLAN and Authentication ConfigurationOverview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection Authentication Considerations Authentication Support on Enterasys DevicesIdentify the Strategic Point for End-System Authorization Identify Network Connection Methods Wired LANWireless LAN Thick Wireless DeploymentsRemote Access WAN Thin Wireless DeploymentsSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Identify Required NetSight Applications Procedures for Out-of-Band and Inline NACDefine Network Security Domains Security Domain NAC ConfigurationsNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment MAC Overrides Identify Required MAC and User OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Determine the Number of Assessment Servers Assessment Design ProceduresDetermine Assessment Server Location Identify Assessment Server ConfigurationIdentify Network Authentication Configuration Out-of-Band NAC Design ProceduresDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Determine End-System Mobility Restrictions Identify Backend Radius Server InteractionVlan Configuration Policy Role ConfigurationDefine NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Service for the Assessing RoleInline NAC Design Procedures Determine NAC Controller LocationUnregistered Policy Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration Additional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Additional Considerations Design Procedures

9034385 specifications

Enterasys Networks 9034385 is a powerful networking component designed to enhance enterprise-level connectivity and ensure robust network management capabilities. This device offers a wide range of features that cater to the demanding requirements of modern businesses, focusing on performance, reliability, and security.

One of the main features of the Enterasys Networks 9034385 is its advanced Layer 2 and Layer 3 switching capabilities, which enable efficient data processing and robust network performance. With support for various VLAN configurations, the device allows organizations to segment their networks effectively, leading to improved security and better traffic management.

Another critical aspect of the 9034385 is its support for high-speed connectivity. The device features multiple gigabit Ethernet ports, providing sufficient bandwidth for data-intensive applications commonly used in enterprise environments. The high-speed connections ensure that users can access applications and data quickly and reliably, minimizing latency issues that can affect productivity.

In terms of management, Enterasys Networks has equipped the 9034385 with advanced monitoring and diagnostic tools. These capabilities allow network administrators to track performance metrics, identify potential issues proactively, and make informed decisions about network resource allocation. The inclusion of SNMP (Simple Network Management Protocol) facilitates seamless integration with network management systems, providing comprehensive oversight of network health and performance.

Security is a paramount consideration for the 9034385, which incorporates advanced security protocols to protect sensitive data. Features such as port security, DHCP snooping, and dynamic ARP inspection help safeguard the network against unauthorized access and cyber threats. Furthermore, the device supports authentication mechanisms like 802.1X, ensuring that only authorized users and devices can connect to the network.

The Enterasys Networks 9034385 also stands out due to its seamless integration with cloud-based services and support for virtualization technologies. This compatibility enables organizations to adopt flexible architectures and manage their resources more efficiently. Additionally, the device is designed with scalability in mind, allowing businesses to expand their networks without significant hardware changes or disruptions.

Overall, the Enterasys Networks 9034385 is a versatile and powerful networking solution ideal for enterprises looking to enhance their network infrastructure while ensuring performance, security, and ease of management. The combination of advanced features and technologies makes it a valuable asset for businesses of all sizes striving for efficient and reliable connectivity.
Top Page Image Contents