Enterasys Networks 9034385 manual Remote Access WAN, Site-to-Site VPN, Thin Wireless Deployments

Page 62

Survey the Network

this case, the thick AP deployment falls into the category of non‐intelligent edge devices with the same NAC implementations as a non‐intelligent wired edge. These non‐intelligent APs must be configured with inline NAC, positioning the NAC Controller at a strategic point in the network upstream from the non‐intelligent APs where it will implement the authentication and authorization of connecting end‐systems.

Thin Wireless Deployments

For thin wireless deployments, the wireless switch usually supports the authentication and authorization of the wireless end‐systems connected to the APs on the network. Therefore, thin wireless deployments can be configured with out‐of‐band NAC using the NAC Gateway, with the authentication and authorization implemented on the wireless switch. If the wireless switch does not support dynamic VLAN assignment via RFC 3580, inline NAC may be used by positioning the NAC Controller behind the wireless switch to implement the authentication and authorization of wireless end‐systems.

Remote Access WAN

In many enterprise networks, larger remote sites are connected to the main network site over a WAN connection, affording remote users access to corporate resources. If the remote sites are composed of intelligent edge devices supporting the authentication and authorization of the remotely connected end‐systems, then the NAC Gateway can be utilized in the deployment of out‐of‐band NAC. The NAC Gateway may be positioned either locally at the remote site (which may not be practical) or at the main site of the enterprise network. Either way, the NAC Gateway leverages the authentication and authorization capabilities of the switches in the remote site to implement network access control for remote users.

If the NAC Gateway is implemented at the main site, then it is important to consider what impact a WAN link disconnection would have on the NAC process and remote end‐system connectivity. It is recommended that switches in remote sites be configured with a default VLAN or policy that will be applied to the end‐system in the case that connectivity to the main site goes down.

If the remote sites are composed of non‐intelligent switches, then the NAC Controller can be strategically positioned inline with traffic sourced from remote end‐systems to implement the authentication and authorization of these devices. The NAC Controller is most often positioned at the central siteʹs WAN connection to the remote sites. In this configuration, the NAC Controller is able to implement NAC for multiple remote sites, which is important when you consider that some remote sites may have only a few end‐systems concurrently connected.

Site-to-Site VPN

In multi‐site enterprise environments, it is common to have a VPN concentrator located at the main site connecting to remote sites via a VPN tunnel. Similar to the remote access WAN scenario, the implementation of out‐of‐band or inline NAC depends on the capabilities of the edge switches located at the remote site. If the remote sites are composed of intelligent edge switches, then the NAC Gateway can be positioned at the main site to implement out‐of‐band NAC. If the remote sites are composed of non‐intelligent edge switches, then the NAC Controller can be positioned behind the VPN concentrator that provides site‐to‐site VPN connectivity. It is important to note that the NAC Controller must see the actual IP address of the end‐system when an end‐systemʹs traffic traverses it. Therefore, a downstream device from the NAC Controller cannot implement many‐to‐one NAT or reverse proxy VPN, so that the IP address of the end‐system is preserved at the point that the traffic traverses the NAC Controller.

4-10 Design Planning

Page 61 Page 63
Image 62
Page 61 Page 63
Contents Enterasys Page Page Page Contents Design Planning Design ProceduresUse Scenarios Figures TablesPage Intended Audience Related DocumentsGetting Help Support@enterasys.comKey Functionality NAC Solution OverviewAuthentication DetectionAssessment AuthorizationDeployment Models RemediationModel 1 End-system Detection and Tracking Model 2 End-System AuthorizationModel 3 End-System Authorization with Assessment NAC Solution Components NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceNAC Controller is available in two models Appliance Comparison NAC Gateway NAC ControllerDisadvantage Advantage NetSight Management NetSight NAC ManagerAssessment Server SummaryRadius Server Summary Summary Overview Out-of-Band NAC Model 1 End-System Detection and TrackingImplementation End-System and User Tracking Features and ValueInline NAC Layer Model 2 End-System Authorization Required and Optional ComponentsInline NAC Location-Based Authorization Device-Based AuthorizationUser-Based Authorization MAC RegistrationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Scenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge NAC FunctionsRFC 3580 Capable Edge VLAN=ProductionScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 4 VPN Remote Access Scenario 3 ImplementationVPN Remote Access Enterasys Scenario 4 ImplementationUse Scenario Summaries Summary and Appliance Requirements VPN remote access Design Planning Identify the NAC Deployment ModelSurvey the Network Identify the Intelligent Edge of the NetworkNetwork with Intelligent Edge Evaluate Policy/VLAN and Authentication Configuration Case #1 No authentication method is deployed on the networkCase #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport for Multiple End-System Connection Support of Multiple Authentication MethodsEnd-System Capabilities Authentication Support on Enterasys Devices Authentication ConsiderationsIdentify the Strategic Point for End-System Authorization Thick Wireless Deployments Wired LANWireless LAN Identify Network Connection MethodsSite-to-Site VPN Remote Access WANThin Wireless Deployments Remote Access VPN Identify Inline or Out-of-band NAC DeploymentSummary Procedures for Out-of-Band and Inline NAC Identify Required NetSight ApplicationsDefine Network Security Domains NAC Configurations Security DomainNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment Identify Required MAC and User Overrides MAC OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Assessment Design Procedures Determine the Number of Assessment ServersIdentify Assessment Server Configuration Determine Assessment Server LocationOut-of-Band NAC Design Procedures Identify Network Authentication ConfigurationDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Identify Backend Radius Server Interaction Determine End-System Mobility RestrictionsDefine NAC Access Policies Vlan ConfigurationPolicy Role Configuration Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationPolicy Role Configuration in NetSight Policy Manager Assessment PolicyService for the Assessing Role Quarantine PolicyUnregistered Policy Inline NAC Design ProceduresDetermine NAC Controller Location Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration NAC Deployment With NetSight ASM Additional ConsiderationsNAC Deployment With an Intrusion Detection System IDS Additional Considerations Design Procedures

9034385 specifications

Enterasys Networks 9034385 is a powerful networking component designed to enhance enterprise-level connectivity and ensure robust network management capabilities. This device offers a wide range of features that cater to the demanding requirements of modern businesses, focusing on performance, reliability, and security.

One of the main features of the Enterasys Networks 9034385 is its advanced Layer 2 and Layer 3 switching capabilities, which enable efficient data processing and robust network performance. With support for various VLAN configurations, the device allows organizations to segment their networks effectively, leading to improved security and better traffic management.

Another critical aspect of the 9034385 is its support for high-speed connectivity. The device features multiple gigabit Ethernet ports, providing sufficient bandwidth for data-intensive applications commonly used in enterprise environments. The high-speed connections ensure that users can access applications and data quickly and reliably, minimizing latency issues that can affect productivity.

In terms of management, Enterasys Networks has equipped the 9034385 with advanced monitoring and diagnostic tools. These capabilities allow network administrators to track performance metrics, identify potential issues proactively, and make informed decisions about network resource allocation. The inclusion of SNMP (Simple Network Management Protocol) facilitates seamless integration with network management systems, providing comprehensive oversight of network health and performance.

Security is a paramount consideration for the 9034385, which incorporates advanced security protocols to protect sensitive data. Features such as port security, DHCP snooping, and dynamic ARP inspection help safeguard the network against unauthorized access and cyber threats. Furthermore, the device supports authentication mechanisms like 802.1X, ensuring that only authorized users and devices can connect to the network.

The Enterasys Networks 9034385 also stands out due to its seamless integration with cloud-based services and support for virtualization technologies. This compatibility enables organizations to adopt flexible architectures and manage their resources more efficiently. Additionally, the device is designed with scalability in mind, allowing businesses to expand their networks without significant hardware changes or disruptions.

Overall, the Enterasys Networks 9034385 is a versatile and powerful networking solution ideal for enterprises looking to enhance their network infrastructure while ensuring performance, security, and ease of management. The combination of advanced features and technologies makes it a valuable asset for businesses of all sizes striving for efficient and reliable connectivity.
Top Page Image Contents