Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Evaluate Policy/VLAN and Authentication Configuration

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 56

Figure 4-2 Network with Non-Intelligent Edge

Survey the Network

For the inline implementation of the Enterasys NAC solution, the NAC Controller authenticates and authorizes end‐systems locally on the appliance, and does not rely on the capabilities of downstream infrastructure devices. Because of this, the NAC Controller can be utilized in networks where non‐intelligent and/or intelligent infrastructure devices exist at the edge of the network. If the network does not have an intelligent edge, then the NAC Controller must be deployed in order to provide the authentication and authorization capabilities required for implementing network access control, as shown in Figure 4‐2.

Figure 4-2 Network with Non-Intelligent Edge

2. Evaluate Policy/VLAN and Authentication Configuration

Note: This step is not necessary if in step 1 you determined that the network does not have an intelligent edge and the inline NAC Controller appliance will be deployed to provide the authentication and policy enforcement capabilities.

For a network with an intelligent edge, the second step in surveying your network is to evaluate the network authentication method currently being used, and how the deployment of Enterasys NAC will affect it. A network with an intelligent edge can be classified into one of two cases: either authentication is deployed on the network or it is not.

Case #1: No authentication method is deployed on the network.

If authentication is not configured on the network, out‐of‐band NAC can be deployed with minimal configuration by implementing MAC authentication on the intelligent edge of the network (if the edge switches support MAC authentication). The NAC Gateway can be configured

4-4 Design Planning

Image 56

Enterasys Networks 9034385 Evaluate Policy/VLAN and Authentication Configuration, 2 Network with Non-Intelligent Edge

Contents

Design Guide Network Access ControlEnterasys Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Contents About This GuideChapter 1 Overview Chapter 2 NAC Deployment ModelsChapter 4 Design Planning Chapter 5 Design ProceduresChapter 3 Use Scenarios Figures TablesPage Related Documents About This GuideIntended Audience Getting Help NAC Solution Overview AuthenticationOverview Key FunctionalityAuthorization Deployment ModelsAssessment RemediationModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 4 End-System Authorization with Assessment and Remediation Model 1 End-system Detection and TrackingNAC Solution Components AuthorizationAuthorization with The NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceThe NAC Controller is available in two models Appliance Comparison Table 1-2 Comparison of Appliance FunctionalityNAC Function NAC GatewayFeatures Table 1-3 Comparison of Appliance Advantages and DisadvantagesNAC Gateway NAC ControllerNetSight Management NetSight NAC ManagerFeatures NAC GatewaySummary RADIUS ServerAssessment Server NetSight ConsoleEnterasys offers two types of NAC appliances Summary 1-12 OverviewNAC Deployment Models Model 1 End-System Detection and TrackingImplementation Out-of-Band NACFeatures and Value Inline NAC LayerEnd-System and User Tracking IP-to-ID functionality for Security Information Management SIMModel 2 End-System Authorization Required and Optional ComponentsTable 2-1 Component Requirements for Detection and Tracking ComponentInline NAC Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switchImplementation Out-of-Band NACFeatures and Value Location-Based AuthorizationDevice-Based Authorization User-Based Authorization MAC RegistrationTable 2-2 Component Requirements for Authorization Post-Connect NAC integration with NetSight Automated Security ManagerAuthorization Required and Optional ComponentsModel 3 End-System Authorization with Assessment Model 3 End-System Authorization with AssessmentImplementation Out-of-Band NACInline NAC Extensive Security Posture Compliance Verification Features and ValueDiverse Security Posture Compliance Verification Model 4 End-System Authorization with Assessment and Remediation Table 2-3 Component Requirements for Authorization with AssessmentAuthorization with Required and Optional ComponentsImplementation Out-of-Band NACInline NAC Self-Service RemediationFeatures and Value Authorization with Required and Optional ComponentsComponent Assessment andTable 2-5 Enterasys NAC Deployment Models Deployment ModelValue SummaryScenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge SwitchAuthenticate AuthenticationRFC 3580 Capable Edge Scenario 1 Intelligent Wired Access Edge3rd Party Switch VLAN=QuarantineScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeAccess WirelessIntelligent Wireless VLAN=QuarantinePoint5 Thick Wireless EdgeAssessment Authentication 3-8 Use Scenarios Scenario 2 ImplementationScenario 2 Intelligent Wireless Access Edge Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 3 Wired LAN Layer 2 Wired LANLayer 2 Wireless LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 4 VPN Remote Access Scenario 3 ImplementationFigure 3-6 VPN Remote Access Scenario 4 ImplementationNAC Manager 4 ControllerTable 3-1 Use Scenario Summaries Use ScenarioSummary and Appliance Requirements SummaryTable 3-1 Use Scenario Summaries continued Use ScenarioSummary and Appliance Requirements SummaryDesign Planning Identify the NAC Deployment ModelSurvey the Network 1. Identify the Intelligent Edge of the NetworkFigure 4-1 Network with Intelligent Edge Policy‐enabled Enterasys devices at the physical edge of the networkFigure 4-2 Network with Non-Intelligent Edge 2. Evaluate Policy/VLAN and Authentication ConfigurationCase #1 No authentication method is deployed on the network Case #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection MAC AuthenticationAuthentication Support on Enterasys Devices Authentication Considerations3. Identify the Strategic Point for End-System Authorization Wired LAN Wireless LANThick Wireless Deployments 4. Identify Network Connection MethodsSite-to-Site VPN Remote Access WANThin Wireless Deployments Summary Remote Access VPNIdentify Inline or Out-of-band NAC Deployment Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN 1. Identify Required NetSight Applications Design ProceduresProcedures for Out-of-Band and Inline NAC 5-2 Design Procedures 2. Define Network Security DomainsProcedures for Out-of-Band and Inline NAC NAC Configurations Figure 5-1 Security DomainAssessment Figure 5-2 NAC ConfigurationAuthentication Authorization How health results are processed5-6 Design Procedures Figure 5-3 NAC Configuration for a Security DomainProcedures for Out-of-Band and Inline NAC Table 5-1 Security Domain Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-2 Security Domain Configuration Guidelines for Assessment Security Domain ConfigurationNetwork Scenario ExamplesSecurity Domain Configuration Procedures for Out-of-Band and Inline NACNetwork Scenario Examples3. Identify Required MAC and User Overrides MAC OverridesEnterasys NAC Design Guide Figure 5-4 MAC and User Override ConfigurationProcedures for Out-of-Band and Inline NAC Table 5-3 MAC Override Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-3 MAC Override Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesUser Overrides Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioAssessment Design Procedures 1. Determine the Number of Assessment Servers3. Identify Assessment Server Configuration 2. Determine Assessment Server LocationOut-of-Band NAC Design Procedures 1. Identify Network Authentication Configuration2. Determine the Number of NAC Gateways Table 5-4 End-System Limits for NAC GatewaysNAC Gateway Model Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 4. Identify Backend RADIUS Server Interaction 5. Determine End-System Mobility Restrictions8. Define NAC Access Policies 6. VLAN Configuration7. Policy Role Configuration Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationFigure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment PolicyFigure 5-7 Service for the Assessing Role Quarantine PolicyInline NAC Design Procedures Figure 5-8 Service for the Quarantine Role1. Determine NAC Controller Location Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security 2. Determine the Number of NAC Controllers Table 5-5 End-System Limits for NAC ControllersNAC Controller Model Concurrent End-Systems SupportedFigure 5-9 Layer 2 NAC Controller Redundancy Figure 5-10 Layer 3 NAC Controller Redundancy4. Define Policy Configuration 3. Identify Backend RADIUS Server InteractionFailsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationAdditional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Unregistered Policy5-34 Design Procedures Additional Considerations