Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Authorization, How health results are processed

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 69

Procedures for Out-of-Band and Inline NAC

•How health results are processed.

When an assessment is performed on an end‐system, a “health result” is generated. For each health result, there may be several “health result details.” A health result detail is a result for an individual test performed during the assessment. Each health result detail is given a score ranging from 1 to 10, and based on this score, the health result is assigned a risk level.

However, it is possible to override the score with a different value that better aligns the score with the enterpriseʹs compliance policy. For example, Wireshark is a popular network traffic analysis application that can be used for both informational and malicious intentions. If IT operations determines that Wireshark is an application that should not be installed on end‐ systems connecting to the network, a scoring override can be configured to associate a high‐ risk score if Wireshark is detected on an end‐system.

•Which end‐systems are quarantined.

NAC Manager uses risk levels to determine whether or not an end‐system will be quarantined. Based on the scores from the health result details, end‐system are classified into one of four risk levels: high risk, medium risk, low risk, and no risk. Depending on the risk level to which the end‐system is classified, the end‐system may be quarantined.

Authorization

The NAC configuration also specifies the authorization levels, referred to as “access policies,” that will be applied to the end‐system, depending on the authentication and assessment results.

•Accept Policy – the policy that is assigned to compliant end‐systems.

•Quarantine Policy– the policy that is assigned to noncompliant end‐systems that have failed assessment.

•Assessment Policy – the policy that is (optionally) assigned to end‐systems while they are being assessed.

•Failsafe Policy – the policy that is assigned to end‐systems when an error occurs in the NAC process.

Enterasys NAC Design Guide 5-5

Image 69

Enterasys Networks 9034385 manual Authorization, How health results are processed

Contents

Network Access Control EnterasysDesign Guide Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page About This Guide ContentsChapter 1 Overview Chapter 2 NAC Deployment ModelsChapter 5 Design Procedures Chapter 3 Use ScenariosChapter 4 Design Planning Tables FiguresPage About This Guide Intended AudienceRelated Documents Getting Help Authentication NAC Solution OverviewOverview Key FunctionalityDeployment Models AuthorizationAssessment RemediationModel 3 End-System Authorization with Assessment Model 2 End-System AuthorizationModel 4 End-System Authorization with Assessment and Remediation Model 1 End-system Detection and TrackingAuthorization NAC Solution ComponentsAuthorization with The NAC ApplianceNAC Controller Appliance NAC Gateway ApplianceThe NAC Controller is available in two models Table 1-2 Comparison of Appliance Functionality Appliance ComparisonNAC Function NAC GatewayTable 1-3 Comparison of Appliance Advantages and Disadvantages FeaturesNAC Gateway NAC ControllerNetSight NAC Manager NetSight ManagementFeatures NAC GatewayRADIUS Server SummaryAssessment Server NetSight ConsoleEnterasys offers two types of NAC appliances 1-12 Overview SummaryModel 1 End-System Detection and Tracking NAC Deployment ModelsImplementation Out-of-Band NACInline NAC Layer Features and ValueEnd-System and User Tracking IP-to-ID functionality for Security Information Management SIMRequired and Optional Components Model 2 End-System AuthorizationTable 2-1 Component Requirements for Detection and Tracking ComponentAuthorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch Inline NACImplementation Out-of-Band NACLocation-Based Authorization Device-Based AuthorizationFeatures and Value MAC Registration User-Based AuthorizationPost-Connect NAC integration with NetSight Automated Security Manager Table 2-2 Component Requirements for AuthorizationAuthorization Required and Optional ComponentsModel 3 End-System Authorization with Assessment Model 3 End-System Authorization with AssessmentImplementation Out-of-Band NACInline NAC Features and Value Extensive Security Posture Compliance VerificationDiverse Security Posture Compliance Verification Table 2-3 Component Requirements for Authorization with Assessment Model 4 End-System Authorization with Assessment and RemediationAuthorization with Required and Optional ComponentsOut-of-Band NAC ImplementationSelf-Service Remediation Features and ValueInline NAC Required and Optional Components Authorization withComponent Assessment andDeployment Model Table 2-5 Enterasys NAC Deployment ModelsValue SummaryUse Scenarios Scenario 1 Intelligent Wired Access EdgeSwitch Policy-Enabled EdgeAuthenticate AuthenticationScenario 1 Intelligent Wired Access Edge RFC 3580 Capable Edge3rd Party Switch VLAN=QuarantineScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeWireless AccessIntelligent Wireless VLAN=QuarantineThick Wireless Edge Assessment AuthenticationPoint5 Scenario 2 Implementation Scenario 2 Intelligent Wireless Access Edge3-8 Use Scenarios Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 2 Wired LAN Layer 3 Wired LANLayer 2 Wireless LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 3 Implementation Scenario 4 VPN Remote AccessScenario 4 Implementation Figure 3-6 VPN Remote AccessNAC Manager 4 ControllerUse Scenario Table 3-1 Use Scenario SummariesSummary and Appliance Requirements SummaryUse Scenario Table 3-1 Use Scenario Summaries continuedSummary and Appliance Requirements SummaryIdentify the NAC Deployment Model Design Planning1. Identify the Intelligent Edge of the Network Survey the NetworkPolicy‐enabled Enterasys devices at the physical edge of the network Figure 4-1 Network with Intelligent Edge2. Evaluate Policy/VLAN and Authentication Configuration Case #1 No authentication method is deployed on the networkFigure 4-2 Network with Non-Intelligent Edge Overview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkEnd-System Capabilities Support of Multiple Authentication MethodsSupport for Multiple End-System Connection MAC AuthenticationAuthentication Considerations Authentication Support on Enterasys Devices3. Identify the Strategic Point for End-System Authorization Wireless LAN Wired LANThick Wireless Deployments 4. Identify Network Connection MethodsRemote Access WAN Thin Wireless DeploymentsSite-to-Site VPN Remote Access VPN Identify Inline or Out-of-band NAC DeploymentSummary Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN Design Procedures Procedures for Out-of-Band and Inline NAC1. Identify Required NetSight Applications 2. Define Network Security Domains Procedures for Out-of-Band and Inline NAC5-2 Design Procedures Figure 5-1 Security Domain NAC ConfigurationsFigure 5-2 NAC Configuration AuthenticationAssessment How health results are processed AuthorizationFigure 5-3 NAC Configuration for a Security Domain Procedures for Out-of-Band and Inline NAC5-6 Design Procedures Security Domain Configuration Table 5-1 Security Domain Configuration GuidelinesNetwork Scenario ExamplesSecurity Domain Configuration Table 5-1 Security Domain Configuration Guidelines continuedNetwork Scenario ExamplesSecurity Domain Configuration Table 5-1 Security Domain Configuration Guidelines continuedNetwork Scenario ExamplesSecurity Domain Configuration Table 5-2 Security Domain Configuration Guidelines for AssessmentNetwork Scenario ExamplesProcedures for Out-of-Band and Inline NAC Security Domain ConfigurationNetwork Scenario ExamplesMAC Overrides 3. Identify Required MAC and User OverridesFigure 5-4 MAC and User Override Configuration Procedures for Out-of-Band and Inline NACEnterasys NAC Design Guide Security Domain Configuration Table 5-3 MAC Override Configuration GuidelinesNetwork Scenario ExamplesSecurity Domain Configuration Table 5-3 MAC Override Configuration Guidelines continuedNetwork Scenario ExamplesTable 5-3 MAC Override Configuration Guidelines continued User OverridesSecurity Domain Configuration Network Scenario1. Determine the Number of Assessment Servers Assessment Design Procedures2. Determine Assessment Server Location 3. Identify Assessment Server Configuration1. Identify Network Authentication Configuration Out-of-Band NAC Design ProceduresTable 5-4 End-System Limits for NAC Gateways 2. Determine the Number of NAC GatewaysNAC Gateway Model Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 5. Determine End-System Mobility Restrictions 4. Identify Backend RADIUS Server Interaction6. VLAN Configuration 7. Policy Role Configuration8. Define NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Figure 5-6 Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Figure 5-7 Service for the Assessing RoleFigure 5-8 Service for the Quarantine Role Inline NAC Design Procedures1. Determine NAC Controller Location Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security Table 5-5 End-System Limits for NAC Controllers 2. Determine the Number of NAC ControllersNAC Controller Model Concurrent End-Systems SupportedFigure 5-10 Layer 3 NAC Controller Redundancy Figure 5-9 Layer 2 NAC Controller Redundancy3. Identify Backend RADIUS Server Interaction 4. Define Policy ConfigurationFailsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationNAC Deployment With an Intrusion Detection System IDS Additional ConsiderationsNAC Deployment With NetSight ASM Unregistered PolicyAdditional Considerations 5-34 Design Procedures