Enterasys Networks 4G4205-72, 4G4285-49 Secure Networks Policy Support, Standards Compatibility

Secure Networks Policy Support

1-8 Introduction

TheCLIcommandsenableyoutoperformmorecompleteswitchconfiguration

managementtasks.

ForCLIcommandsetinformationandhowtoconfigurethemodule,refertotheEnterasys

MatrixDFE‐GoldSeriesConfigurationGuide.

Secure Networks Policy Support

PolicyEnabledNetworkingmanagestheallocationofnetworkinginfrastructure

resourcesinasecureandeffectivemanner.UsingSecureNetworksPolicy,anIT

AdministratorcanpredictablyassignappropriateresourcestotheUsers,Applications,

andServicesthatusethenetwork;whileblockingorcontainingaccessforinappropriate

orpotentiallydangerousnetworktraffic.Usingthistechnologyitispossible,forthefirst

time,toalignITserviceswiththeneedsofspecificusersandapplications,andtoleverage

thenetworkasakeycomponentoftheorganization’ssecuritystrategy.

TheSecureNetworksPolicyArchitectureconsistsof3components:ClassificationRules,

NetworkServices,andBehavioralProfiles.Thesearedefinedasfollows:

• ClassificationRulesdeterminehowspecifictrafficflows(identifiedbyLayer2,Layer

3,andLayer4informationinthedatapacket)aretreatedbyeachSwitchorRouter.In

general,ClassificationRulesareappliedtothenetworkinginfrastructureatthe

networkedge/ingresspoint.

•NetworkServicesarelogicalgroupsofClassificationRulesthatidentifyspecific

networkedapplicationsorservices.Usersmaybepermittedordeniedaccesstothese

servicesbasedontheirrolewithintheorganization.Priorityandbandwidthrate

limitingmayalsobecontrolledusingNetworkServices.

•BehavioralProfiles(orroles)areusedtoassignNetworkServicestogroupsofusers

whosharecommonneeds–forexampleExecutiveManagers,HumanResources

Personnel,orGuestUsers.Access,resources,andsecurityrestrictionsareappliedas

appropriatetoeachBehavioralProfile.Avarietyofauthenticationmethodsincluding

802.1X,EAP‐TLS,EAP‐TTLS,andPEAPmaybeusedtoclassifyandauthorizeeach

individualuser;andtheITAdministratormayalsodefineaBehavioralProfileto

applyintheabsenceofanauthenticationframework.

Standards Compatibility

TheDFEmodulesarefullycompliantwiththeIEEE802.3‐2002,802.3ae‐2002,802.1D‐

1998,802.3af‐2003,and802.1Q‐1998standards.TheDFEmodulesprovidesIEEE

802.1D‐1998SpanningTreeAlgorithm(STA)supporttoenhancetheoverallreliabilityof

thenetworkandprotectagainst“loop”conditions.