Enterasys Networks 9034385 manual Location-Based Authorization, Device-Based Authorization

Model 2: End-System Authorization

The NAC Controller may either deny the end‐system access to the network or assign the end‐ system to a particular set of network resources by specifying a particular policy.

Features and Value

In addition to the features and values found in Model 1, the following are key pieces of functionality and value propositions supported by Model 2, End‐System Authorization:

Location-Based Authorization

In addition to providing visibility into who, what, when, and where devices and users are connecting to the network, this deployment model allows IT operations to control access to the network with different levels of authorization based on these parameters. For location‐ based authorization, the Enterasys NAC solution can assign a level of access to a connecting end user or device based on which area of the network the end‐system is connected, through the configuration of Security Domains. For example, when an engineer connects to the network from a controlled area of the network such as the lab, or a faculty member connects to the network from a physically secured faculty office, the engineer and faculty member are appropriately authorized to access sensitive information residing on internal servers. However, if the same users connect to the network from an unsecured area of the network such as the open wireless LAN available in the enterpriseʹs lobby or campus, or in a student dormitory, then these end‐systems can be authorized with a different level of network access, possibly restricting communication to the internal servers and other resources on the network.

Furthermore, the NAC solution can also lock a device to a specific switch or switch port, using the “Lock MAC” feature. If the device is moved to any other switch port on the network, it will not be able to connect. For example, a printer or a server containing sensitive data may be connected to the network at a specific location, such as behind a firewall or on a particular VLAN for security reasons. Physically moving the connection of these devices to an open area of the network increases the risk of these devices being attacked and compromised because they would no longer be protected by the security mechanisms that were put in place on the network. The “Lock MAC” feature can be used to limit the mobility of specific devices and avoid malicious or unintentional misconfigurations on the network, thereby reducing risk.

Device-Based Authorization

With this NAC deployment model, end‐systems are authorized with access to a specific set of network resources based on the end‐systemʹs MAC address. For initial implementation, the Enterasys NAC solution is configured in a mode where all MAC addresses of connecting end‐ systems are permitted onto the network and dynamically learned. The Enterasys NAC solution is then configured to allow only known MAC addresses onto the network, assigning each end‐system a particular authorization level. Any new MAC address connecting to the network is assigned a different authorization level, such as denied access, restricted access, or allowed access if the user is able to properly register their device to the network.

The Enterasys NAC solution is able to authorize specific devices or classes of devices (based on MAC address OUI prefix) with access to a specific set of network resources through the configuration of MAC overrides. For example, an end‐system that is known to be infected with a worm, a publicly accessible machine, or a machine belonging to guest user may be authorized with a restrictive set of network resources or completely denied network access, regardless of where and when this device connects. In contrast, an end‐system belonging to the IT operations group may be permitted unrestricted access to network resources for infrastructure troubleshooting and maintenance purposes, regardless of where and when the device connects to the network. If you add location‐based authorization (as discussed above) to this example, then unrestricted access for end‐systems belonging to the IT operations group

Enterasys NAC Design Guide 2-5