Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 64

Summary

server. In addition, NAC can also be configured to locally authorize MAC authentication requests.

3.Identify the strategic point in the network where end‐system authorization should be implemented.

The most secure place for implementing authorization is directly at the point of connection at the edge of the network, as supported by Enterasys policy‐capable switches. In this configuration, the implementation of out‐of‐band NAC using the NAC Gateway appliance leverages policy on Enterasys switches to securely authorize connecting end‐systems.

If the network infrastructure does not contain intelligent devices at the edge or distribution layer, then inline NAC using the NAC Controller as the authorization point for connecting end‐systems must be implemented.

4.Identify the network connection types being used. The previous steps have been concerned with implementing NAC for the internal LAN. In this step, the following connection types are discussed along with their impact on the Enterasys NAC solution.

–Wired LAN

–Wireless LAN

–Remote Access WAN

–Site‐to‐Site VPN

–Remote Access VPN

Based on the NAC deployment model you select, and the results of your network infrastructure evaluation, you will be able to identify whether out‐of‐band NAC or inline NAC will be deployed in the different areas of your network.

4-12 Design Planning

Image 64

Enterasys Networks 9034385 manual Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN

Contents

Enterasys Network Access ControlDesign Guide Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Contents About This GuideChapter 1 Overview Chapter 2 NAC Deployment ModelsChapter 3 Use Scenarios Chapter 5 Design ProceduresChapter 4 Design Planning Figures TablesPage Intended Audience About This GuideRelated Documents Getting Help NAC Solution Overview AuthenticationOverview Key FunctionalityAuthorization Deployment ModelsAssessment RemediationModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 4 End-System Authorization with Assessment and Remediation Model 1 End-system Detection and TrackingNAC Solution Components AuthorizationAuthorization with The NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceThe NAC Controller is available in two models Appliance Comparison Table 1-2 Comparison of Appliance FunctionalityNAC Function NAC GatewayFeatures Table 1-3 Comparison of Appliance Advantages and DisadvantagesNAC Gateway NAC ControllerNetSight Management NetSight NAC ManagerFeatures NAC GatewaySummary RADIUS ServerAssessment Server NetSight ConsoleEnterasys offers two types of NAC appliances Summary 1-12 OverviewNAC Deployment Models Model 1 End-System Detection and TrackingImplementation Out-of-Band NACFeatures and Value Inline NAC LayerEnd-System and User Tracking IP-to-ID functionality for Security Information Management SIMModel 2 End-System Authorization Required and Optional ComponentsTable 2-1 Component Requirements for Detection and Tracking ComponentInline NAC Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switchImplementation Out-of-Band NACDevice-Based Authorization Location-Based AuthorizationFeatures and Value User-Based Authorization MAC RegistrationTable 2-2 Component Requirements for Authorization Post-Connect NAC integration with NetSight Automated Security ManagerAuthorization Required and Optional ComponentsModel 3 End-System Authorization with Assessment Model 3 End-System Authorization with AssessmentImplementation Out-of-Band NACInline NAC Extensive Security Posture Compliance Verification Features and ValueDiverse Security Posture Compliance Verification Model 4 End-System Authorization with Assessment and Remediation Table 2-3 Component Requirements for Authorization with AssessmentAuthorization with Required and Optional ComponentsImplementation Out-of-Band NACFeatures and Value Self-Service RemediationInline NAC Authorization with Required and Optional ComponentsComponent Assessment andTable 2-5 Enterasys NAC Deployment Models Deployment ModelValue SummaryScenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge SwitchAuthenticate AuthenticationRFC 3580 Capable Edge Scenario 1 Intelligent Wired Access Edge3rd Party Switch VLAN=QuarantineScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeAccess WirelessIntelligent Wireless VLAN=QuarantineAssessment Authentication Thick Wireless EdgePoint5 Scenario 2 Intelligent Wireless Access Edge Scenario 2 Implementation3-8 Use Scenarios Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 3 Wired LAN Layer 2 Wired LANLayer 2 Wireless LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 4 VPN Remote Access Scenario 3 ImplementationFigure 3-6 VPN Remote Access Scenario 4 ImplementationNAC Manager 4 ControllerTable 3-1 Use Scenario Summaries Use ScenarioSummary and Appliance Requirements SummaryTable 3-1 Use Scenario Summaries continued Use ScenarioSummary and Appliance Requirements SummaryDesign Planning Identify the NAC Deployment ModelSurvey the Network 1. Identify the Intelligent Edge of the NetworkFigure 4-1 Network with Intelligent Edge Policy‐enabled Enterasys devices at the physical edge of the networkCase #1 No authentication method is deployed on the network 2. Evaluate Policy/VLAN and Authentication ConfigurationFigure 4-2 Network with Non-Intelligent Edge Case #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection MAC AuthenticationAuthentication Support on Enterasys Devices Authentication Considerations3. Identify the Strategic Point for End-System Authorization Wired LAN Wireless LANThick Wireless Deployments 4. Identify Network Connection MethodsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN Procedures for Out-of-Band and Inline NAC Design Procedures1. Identify Required NetSight Applications Procedures for Out-of-Band and Inline NAC 2. Define Network Security Domains5-2 Design Procedures NAC Configurations Figure 5-1 Security DomainAuthentication Figure 5-2 NAC ConfigurationAssessment Authorization How health results are processedProcedures for Out-of-Band and Inline NAC Figure 5-3 NAC Configuration for a Security Domain5-6 Design Procedures Table 5-1 Security Domain Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-2 Security Domain Configuration Guidelines for Assessment Security Domain ConfigurationNetwork Scenario ExamplesSecurity Domain Configuration Procedures for Out-of-Band and Inline NACNetwork Scenario Examples3. Identify Required MAC and User Overrides MAC OverridesProcedures for Out-of-Band and Inline NAC Figure 5-4 MAC and User Override ConfigurationEnterasys NAC Design Guide Table 5-3 MAC Override Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-3 MAC Override Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesUser Overrides Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioAssessment Design Procedures 1. Determine the Number of Assessment Servers3. Identify Assessment Server Configuration 2. Determine Assessment Server LocationOut-of-Band NAC Design Procedures 1. Identify Network Authentication Configuration2. Determine the Number of NAC Gateways Table 5-4 End-System Limits for NAC GatewaysNAC Gateway Model Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 4. Identify Backend RADIUS Server Interaction 5. Determine End-System Mobility Restrictions7. Policy Role Configuration 6. VLAN Configuration8. Define NAC Access Policies Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationFigure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment PolicyFigure 5-7 Service for the Assessing Role Quarantine PolicyInline NAC Design Procedures Figure 5-8 Service for the Quarantine Role1. Determine NAC Controller Location Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security 2. Determine the Number of NAC Controllers Table 5-5 End-System Limits for NAC ControllersNAC Controller Model Concurrent End-Systems SupportedFigure 5-9 Layer 2 NAC Controller Redundancy Figure 5-10 Layer 3 NAC Controller Redundancy4. Define Policy Configuration 3. Identify Backend RADIUS Server InteractionFailsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationAdditional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Unregistered Policy5-34 Design Procedures Additional Considerations