Model 2: End-System Authorization

The NAC Controller may either deny the end‐system access to the network or assign the end‐ system to a particular set of network resources by specifying a particular policy.

Features and Value

In addition to the features and values found in Model 1, the following are key pieces of functionality and value propositions supported by Model 2, End‐System Authorization:

Location-Based Authorization

In addition to providing visibility into who, what, when, and where devices and users are connecting to the network, this deployment model allows IT operations to control access to the network with different levels of authorization based on these parameters. For location‐ based authorization, the Enterasys NAC solution can assign a level of access to a connecting end user or device based on which area of the network the end‐system is connected, through the configuration of Security Domains. For example, when an engineer connects to the network from a controlled area of the network such as the lab, or a faculty member connects to the network from a physically secured faculty office, the engineer and faculty member are appropriately authorized to access sensitive information residing on internal servers. However, if the same users connect to the network from an unsecured area of the network such as the open wireless LAN available in the enterpriseʹs lobby or campus, or in a student dormitory, then these end‐systems can be authorized with a different level of network access, possibly restricting communication to the internal servers and other resources on the network.

Furthermore, the NAC solution can also lock a device to a specific switch or switch port, using the “Lock MAC” feature. If the device is moved to any other switch port on the network, it will not be able to connect. For example, a printer or a server containing sensitive data may be connected to the network at a specific location, such as behind a firewall or on a particular VLAN for security reasons. Physically moving the connection of these devices to an open area of the network increases the risk of these devices being attacked and compromised because they would no longer be protected by the security mechanisms that were put in place on the network. The “Lock MAC” feature can be used to limit the mobility of specific devices and avoid malicious or unintentional misconfigurations on the network, thereby reducing risk.

Device-Based Authorization

With this NAC deployment model, end‐systems are authorized with access to a specific set of network resources based on the end‐systemʹs MAC address. For initial implementation, the Enterasys NAC solution is configured in a mode where all MAC addresses of connecting end‐ systems are permitted onto the network and dynamically learned. The Enterasys NAC solution is then configured to allow only known MAC addresses onto the network, assigning each end‐system a particular authorization level. Any new MAC address connecting to the network is assigned a different authorization level, such as denied access, restricted access, or allowed access if the user is able to properly register their device to the network.

The Enterasys NAC solution is able to authorize specific devices or classes of devices (based on MAC address OUI prefix) with access to a specific set of network resources through the configuration of MAC overrides. For example, an end‐system that is known to be infected with a worm, a publicly accessible machine, or a machine belonging to guest user may be authorized with a restrictive set of network resources or completely denied network access, regardless of where and when this device connects. In contrast, an end‐system belonging to the IT operations group may be permitted unrestricted access to network resources for infrastructure troubleshooting and maintenance purposes, regardless of where and when the device connects to the network. If you add location‐based authorization (as discussed above) to this example, then unrestricted access for end‐systems belonging to the IT operations group

Enterasys NAC Design Guide 2-5

Page 27
Image 27
Enterasys Networks 9034385 manual Location-Based Authorization, Device-Based Authorization

9034385 specifications

Enterasys Networks 9034385 is a powerful networking component designed to enhance enterprise-level connectivity and ensure robust network management capabilities. This device offers a wide range of features that cater to the demanding requirements of modern businesses, focusing on performance, reliability, and security.

One of the main features of the Enterasys Networks 9034385 is its advanced Layer 2 and Layer 3 switching capabilities, which enable efficient data processing and robust network performance. With support for various VLAN configurations, the device allows organizations to segment their networks effectively, leading to improved security and better traffic management.

Another critical aspect of the 9034385 is its support for high-speed connectivity. The device features multiple gigabit Ethernet ports, providing sufficient bandwidth for data-intensive applications commonly used in enterprise environments. The high-speed connections ensure that users can access applications and data quickly and reliably, minimizing latency issues that can affect productivity.

In terms of management, Enterasys Networks has equipped the 9034385 with advanced monitoring and diagnostic tools. These capabilities allow network administrators to track performance metrics, identify potential issues proactively, and make informed decisions about network resource allocation. The inclusion of SNMP (Simple Network Management Protocol) facilitates seamless integration with network management systems, providing comprehensive oversight of network health and performance.

Security is a paramount consideration for the 9034385, which incorporates advanced security protocols to protect sensitive data. Features such as port security, DHCP snooping, and dynamic ARP inspection help safeguard the network against unauthorized access and cyber threats. Furthermore, the device supports authentication mechanisms like 802.1X, ensuring that only authorized users and devices can connect to the network.

The Enterasys Networks 9034385 also stands out due to its seamless integration with cloud-based services and support for virtualization technologies. This compatibility enables organizations to adopt flexible architectures and manage their resources more efficiently. Additionally, the device is designed with scalability in mind, allowing businesses to expand their networks without significant hardware changes or disruptions.

Overall, the Enterasys Networks 9034385 is a versatile and powerful networking solution ideal for enterprises looking to enhance their network infrastructure while ensuring performance, security, and ease of management. The combination of advanced features and technologies makes it a valuable asset for businesses of all sizes striving for efficient and reliable connectivity.