Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual 2 NAC Configuration, Authentication, Assessment

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 68

Figure 5-2 NAC Configuration

Procedures for Out-of-Band and Inline NAC

Figure 5-2 NAC Configuration

Authentication

The Authentication settings define how RADIUS requests are handled for authenticating end‐ systems (this does not apply to Layer 3 NAC Controllers.) This includes identifying whether MAC authentication requests are proxied upstream or locally authorized, and whether Filter‐ID and Tunnel RADIUS attributes are added to RADIUS messages during the authentication process.

Assessment

The Assessment Configuration defines the following requirements for end‐system assessment:

•What assessment tests to run.

The Assessment Configuration determines what types of assessment tests are executed and what parameters are used. For example, you can specify a Nessus assessment utilizing a specific Nessus configuration file that determines end‐system compliance with the SANS Top 20 vulnerabilities. The same Nessus server can be used to assess Windows machines for Windows‐related vulnerabilities and also assess MAC OS‐based machines for MAC‐related vulnerabilities. In addition, you can specify Nessus as well as other assessment services to jointly determine the security posture of a connecting device.

•What resources to use to run the assessment.

The Assessment Configuration determines what assessment servers are used to perform the assessment. You can balance the assessment load between all your assessment servers, or you can select a specific assessment server pool to use. For example, assuming Nessus is chosen for assessment, end‐systems connecting to the network in the companyʹs headquarters can be assessed with the Nessus server deployed in the headquarters, while end‐systems in a branch office will be assessed with Nessus servers deployed in the branch office, conserving bandwidth utilization on the network.

5-4 Design Procedures

Image 68

Enterasys Networks 9034385 manual 2 NAC Configuration, Authentication, Assessment

Contents

Design Guide Network Access ControlEnterasys Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Contents About This GuideChapter 1 Overview Chapter 2 NAC Deployment ModelsChapter 4 Design Planning Chapter 5 Design ProceduresChapter 3 Use Scenarios Figures TablesPage Related Documents About This GuideIntended Audience Getting Help NAC Solution Overview AuthenticationOverview Key FunctionalityAuthorization Deployment ModelsAssessment RemediationModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 4 End-System Authorization with Assessment and Remediation Model 1 End-system Detection and TrackingNAC Solution Components AuthorizationAuthorization with The NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceThe NAC Controller is available in two models Appliance Comparison Table 1-2 Comparison of Appliance FunctionalityNAC Function NAC GatewayFeatures Table 1-3 Comparison of Appliance Advantages and DisadvantagesNAC Gateway NAC ControllerNetSight Management NetSight NAC ManagerFeatures NAC GatewaySummary RADIUS ServerAssessment Server NetSight ConsoleEnterasys offers two types of NAC appliances Summary 1-12 OverviewNAC Deployment Models Model 1 End-System Detection and TrackingImplementation Out-of-Band NACFeatures and Value Inline NAC LayerEnd-System and User Tracking IP-to-ID functionality for Security Information Management SIMModel 2 End-System Authorization Required and Optional ComponentsTable 2-1 Component Requirements for Detection and Tracking ComponentInline NAC Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switchImplementation Out-of-Band NACFeatures and Value Location-Based AuthorizationDevice-Based Authorization User-Based Authorization MAC RegistrationTable 2-2 Component Requirements for Authorization Post-Connect NAC integration with NetSight Automated Security ManagerAuthorization Required and Optional ComponentsModel 3 End-System Authorization with Assessment Model 3 End-System Authorization with AssessmentImplementation Out-of-Band NACInline NAC Extensive Security Posture Compliance Verification Features and ValueDiverse Security Posture Compliance Verification Model 4 End-System Authorization with Assessment and Remediation Table 2-3 Component Requirements for Authorization with AssessmentAuthorization with Required and Optional ComponentsImplementation Out-of-Band NACInline NAC Self-Service RemediationFeatures and Value Authorization with Required and Optional ComponentsComponent Assessment andTable 2-5 Enterasys NAC Deployment Models Deployment ModelValue SummaryScenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge SwitchAuthenticate AuthenticationRFC 3580 Capable Edge Scenario 1 Intelligent Wired Access Edge3rd Party Switch VLAN=QuarantineScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeAccess WirelessIntelligent Wireless VLAN=QuarantinePoint5 Thick Wireless EdgeAssessment Authentication 3-8 Use Scenarios Scenario 2 ImplementationScenario 2 Intelligent Wireless Access Edge Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 3 Wired LAN Layer 2 Wired LANLayer 2 Wireless LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 4 VPN Remote Access Scenario 3 ImplementationFigure 3-6 VPN Remote Access Scenario 4 ImplementationNAC Manager 4 ControllerTable 3-1 Use Scenario Summaries Use ScenarioSummary and Appliance Requirements SummaryTable 3-1 Use Scenario Summaries continued Use ScenarioSummary and Appliance Requirements SummaryDesign Planning Identify the NAC Deployment ModelSurvey the Network 1. Identify the Intelligent Edge of the NetworkFigure 4-1 Network with Intelligent Edge Policy‐enabled Enterasys devices at the physical edge of the networkFigure 4-2 Network with Non-Intelligent Edge 2. Evaluate Policy/VLAN and Authentication ConfigurationCase #1 No authentication method is deployed on the network Case #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection MAC AuthenticationAuthentication Support on Enterasys Devices Authentication Considerations3. Identify the Strategic Point for End-System Authorization Wired LAN Wireless LANThick Wireless Deployments 4. Identify Network Connection MethodsSite-to-Site VPN Remote Access WANThin Wireless Deployments Summary Remote Access VPNIdentify Inline or Out-of-band NAC Deployment Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN 1. Identify Required NetSight Applications Design ProceduresProcedures for Out-of-Band and Inline NAC 5-2 Design Procedures 2. Define Network Security DomainsProcedures for Out-of-Band and Inline NAC NAC Configurations Figure 5-1 Security DomainAssessment Figure 5-2 NAC ConfigurationAuthentication Authorization How health results are processed5-6 Design Procedures Figure 5-3 NAC Configuration for a Security DomainProcedures for Out-of-Band and Inline NAC Table 5-1 Security Domain Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-2 Security Domain Configuration Guidelines for Assessment Security Domain ConfigurationNetwork Scenario ExamplesSecurity Domain Configuration Procedures for Out-of-Band and Inline NACNetwork Scenario Examples3. Identify Required MAC and User Overrides MAC OverridesEnterasys NAC Design Guide Figure 5-4 MAC and User Override ConfigurationProcedures for Out-of-Band and Inline NAC Table 5-3 MAC Override Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-3 MAC Override Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesUser Overrides Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioAssessment Design Procedures 1. Determine the Number of Assessment Servers3. Identify Assessment Server Configuration 2. Determine Assessment Server LocationOut-of-Band NAC Design Procedures 1. Identify Network Authentication Configuration2. Determine the Number of NAC Gateways Table 5-4 End-System Limits for NAC GatewaysNAC Gateway Model Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 4. Identify Backend RADIUS Server Interaction 5. Determine End-System Mobility Restrictions8. Define NAC Access Policies 6. VLAN Configuration7. Policy Role Configuration Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationFigure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment PolicyFigure 5-7 Service for the Assessing Role Quarantine PolicyInline NAC Design Procedures Figure 5-8 Service for the Quarantine Role1. Determine NAC Controller Location Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security 2. Determine the Number of NAC Controllers Table 5-5 End-System Limits for NAC ControllersNAC Controller Model Concurrent End-Systems SupportedFigure 5-9 Layer 2 NAC Controller Redundancy Figure 5-10 Layer 3 NAC Controller Redundancy4. Define Policy Configuration 3. Identify Backend RADIUS Server InteractionFailsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationAdditional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Unregistered Policy5-34 Design Procedures Additional Considerations