Enterasys Networks 9034385 manual To the network

Page 72

Procedures for Out-of-Band and Inline NAC

Table 5-1 Security Domain Configuration Guidelines (continued)

Network Scenario

Examples

Security Domain Configuration

 

 

 

Area of the network that

• Switches that provide access to

provides access to a group of

guest users or contractors on a

users or devices that pose a

corporate network. These users are

potentially high risk to the

usually not directly under the

security or stability of the

administrative control of IT

network.

operations and pose additional risks

 

to the network.

 

• Switches that provide access to

 

users within an organization that are

 

allowed to engage in high risk

 

behaviors on the network, or are not

 

protected by security mechanisms

 

such as a firewall or Intrusion

 

Detection Systems (IDS). A sales

 

organization that uses the Internet

 

as a necessary part of their job, or a

 

branch office location that is not

 

protected by a firewall would both be

 

characterized as high risk groups of

 

users.

 

• Wireless Access Points (APs) that

 

are configured with an open wireless

 

network or a wireless network that is

 

secured through weak

 

authentication/encryption

 

mechanisms such as WEP. End-

 

systems on these networks pose a

 

greater risk to the organization

 

because access to the network by

 

untrusted users is easier.

 

 

Area of the network that is more

• Switches that front-end a distribution

apt to affect the network's

layer device that often crashes in the

overall security or stability.

event of security threats or other

 

events on the network. Assigning a

 

more restrictive policy to these end-

 

systems protects against the

 

instability of the infrastructure

 

devices.

 

 

Area of the network where

• Switches that provide access to

authentication is not deployed

conference rooms, libraries, and

and open network access is

other areas commonly used by

available.

untrusted users.

 

• Access points that provide guest

 

access to an open SSID.

Impose a more restrictive set of network resources in the authorization of connecting end- systems, and execute a thorough security posture assessment of connecting end-systems (if assessment is implemented on the network).

These measures limit the network exposure to security threat propagation and protect against network instability.

In NAC Manager, create a Security Domain with the following configuration attributes:

With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a restrictive policy or VLAN in the Accept Policy field. Furthermore, a more extensive Assessment Configuration may be selected to scan these devices with a larger set of assessment parameters.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a more restrictive policy.

Configure the Accept Policy with a policy or VLAN that provides more restrictive network access for end-systems posing a higher risk.

5-8 Design Procedures

Image 72
Contents Enterasys Page Page Page Contents Design Procedures Use ScenariosDesign Planning Figures TablesPage Intended Audience Related DocumentsGetting Help Support@enterasys.comNAC Solution Overview AuthenticationKey Functionality DetectionAuthorization Deployment ModelsAssessment RemediationModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 1 End-system Detection and Tracking NAC Solution Components NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceNAC Controller is available in two models Appliance Comparison NAC Gateway NAC ControllerDisadvantage Advantage NetSight Management NetSight NAC ManagerSummary Radius ServerAssessment Server Summary Summary Overview Model 1 End-System Detection and Tracking ImplementationOut-of-Band NAC Features and Value Inline NAC LayerEnd-System and User Tracking Model 2 End-System Authorization Required and Optional ComponentsInline NAC Location-Based Authorization Device-Based AuthorizationUser-Based Authorization MAC RegistrationComponent Requirements for Authorization Model 3 End-System Authorization with Assessment Inline NAC Extensive Security Posture Compliance Verification Diverse Security Posture Compliance Verification Component Requirements for Authorization with Assessment Implementation Self-Service Remediation Required and Optional Components Enterasys NAC Deployment Models Value Scenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge NAC FunctionsRFC 3580 Capable Edge VLAN=ProductionScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeRemediation Web User Laptop Thick Wireless Edge Scenario 2 Implementation Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Scenario 4 VPN Remote Access Scenario 3 ImplementationVPN Remote Access Enterasys Scenario 4 ImplementationUse Scenario Summaries Summary and Appliance Requirements VPN remote access Design Planning Identify the NAC Deployment ModelSurvey the Network Identify the Intelligent Edge of the NetworkNetwork with Intelligent Edge Evaluate Policy/VLAN and Authentication Configuration Case #1 No authentication method is deployed on the networkCase #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection Authentication Support on Enterasys Devices Authentication ConsiderationsIdentify the Strategic Point for End-System Authorization Wired LAN Wireless LANThick Wireless Deployments Identify Network Connection MethodsRemote Access WAN Thin Wireless DeploymentsSite-to-Site VPN Remote Access VPN Identify Inline or Out-of-band NAC DeploymentSummary Procedures for Out-of-Band and Inline NAC Identify Required NetSight ApplicationsDefine Network Security Domains NAC Configurations Security DomainNAC Configuration Authorization NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC To the network Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC Security Domain Configuration Guidelines for Assessment Identify Required MAC and User Overrides MAC OverridesMAC and User Override Configuration Procedures for Out-of-Band and Inline NAC Procedures for Out-of-Band and Inline NAC User Overrides Assessment Design Procedures Determine the Number of Assessment ServersIdentify Assessment Server Configuration Determine Assessment Server LocationOut-of-Band NAC Design Procedures Identify Network Authentication ConfigurationDetermine the Number of NAC Gateways NAC Gateway Redundancy Determine NAC Gateway Location Identify Backend Radius Server Interaction Determine End-System Mobility RestrictionsVlan Configuration Policy Role ConfigurationDefine NAC Access Policies Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationPolicy Role Configuration in NetSight Policy Manager Assessment PolicyService for the Assessing Role Quarantine PolicyInline NAC Design Procedures Determine NAC Controller LocationUnregistered Policy Inline NAC Design Procedures Determine the Number of NAC Controllers Layer 2 NAC Controller Redundancy Define Policy Configuration Additional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Additional Considerations Design Procedures

9034385 specifications

Enterasys Networks 9034385 is a powerful networking component designed to enhance enterprise-level connectivity and ensure robust network management capabilities. This device offers a wide range of features that cater to the demanding requirements of modern businesses, focusing on performance, reliability, and security.

One of the main features of the Enterasys Networks 9034385 is its advanced Layer 2 and Layer 3 switching capabilities, which enable efficient data processing and robust network performance. With support for various VLAN configurations, the device allows organizations to segment their networks effectively, leading to improved security and better traffic management.

Another critical aspect of the 9034385 is its support for high-speed connectivity. The device features multiple gigabit Ethernet ports, providing sufficient bandwidth for data-intensive applications commonly used in enterprise environments. The high-speed connections ensure that users can access applications and data quickly and reliably, minimizing latency issues that can affect productivity.

In terms of management, Enterasys Networks has equipped the 9034385 with advanced monitoring and diagnostic tools. These capabilities allow network administrators to track performance metrics, identify potential issues proactively, and make informed decisions about network resource allocation. The inclusion of SNMP (Simple Network Management Protocol) facilitates seamless integration with network management systems, providing comprehensive oversight of network health and performance.

Security is a paramount consideration for the 9034385, which incorporates advanced security protocols to protect sensitive data. Features such as port security, DHCP snooping, and dynamic ARP inspection help safeguard the network against unauthorized access and cyber threats. Furthermore, the device supports authentication mechanisms like 802.1X, ensuring that only authorized users and devices can connect to the network.

The Enterasys Networks 9034385 also stands out due to its seamless integration with cloud-based services and support for virtualization technologies. This compatibility enables organizations to adopt flexible architectures and manage their resources more efficiently. Additionally, the device is designed with scalability in mind, allowing businesses to expand their networks without significant hardware changes or disruptions.

Overall, the Enterasys Networks 9034385 is a versatile and powerful networking solution ideal for enterprises looking to enhance their network infrastructure while ensuring performance, security, and ease of management. The combination of advanced features and technologies makes it a valuable asset for businesses of all sizes striving for efficient and reliable connectivity.