Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Figures, Tables

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 7

	Unregistered Policy	5-28
Inline NAC Design Procedures		5-28
1.	Determine NAC Controller Location	5-28
2.	Determine the Number of NAC Controllers	5-30
3.	Identify Backend RADIUS Server Interaction	5-32
4.	Define Policy Configuration	5-32
	Failsafe Policy and Accept Policy Configuration	5-32
	Assessment Policy and Quarantine Policy Configuration	5-32
	Unregistered Policy	5-33
Additional Considerations		5-33
NAC Deployment With an Intrusion Detection System (IDS)		5-33
NAC Deployment With NetSight ASM		5-33

Figures

3-1	Intelligent Wired Access Edge with Enterasys Policy-Enabled Devices	3-2
3-2	Intelligent Wired Access Edge with RFC 3580 Capable Devices	3-3
3-3	Intelligent Wireless Access Edge - Thin APs with Wireless Switch	3-6
3-4	Intelligent Wireless Access Edge - Intelligent AP (RFC 3580 Compliant	3-7
3-5	Non-intelligent Access Edge (Wired and Wireless)	3-10
3-6	VPN Remote Access	3-12
4-1	Network with Intelligent Edge	4-3
4-2	Network with Non-Intelligent Edge	4-4
5-1	Security Domain	5-3
5-2	NAC Configuration	5-4
5-3	NAC Configuration for a Security Domain	5-6
5-4	MAC and User Override Configuration	5-13
5-5	NAC Gateway Redundancy	5-21
5-6	Policy Role Configuration in NetSight Policy Manager	5-26
5-7	Service for the Assessing Role	5-27
5-8	Service for the Quarantine Role	5-28
5-9	Layer 2 NAC Controller Redundancy	5-31
5-10	Layer 3 NAC Controller Redundancy	5-31

Tables

1-1	Component Requirements for NAC Deployment Models	1-4
1-2	Comparison of Appliance Functionality	1-7
1-3	Comparison of Appliance Advantages and Disadvantages	1-8
2-1	Component Requirements for Detection and Tracking	2-3
2-2	Component Requirements for Authorization	2-7
2-3	Component Requirements for Authorization with Assessment	2-12
2-4	Component Requirements for Authorization with Assessment and Remediation	2-15
2-5	Enterasys NAC Deployment Models	2-16
3-1	Use Scenario Summaries	3-13
5-1	Security Domain Configuration Guidelines	5-7
5-2	Security Domain Configuration Guidelines for Assessment	5-10
5-3	MAC Override Configuration Guidelines	5-14
5-4	End-System Limits for NAC Gateways	5-20
5-5	End-System Limits for NAC Controllers	5-30

v

Image 7

Enterasys Networks 9034385 manual Figures, Tables

Contents

Enterasys Network Access ControlDesign Guide Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Chapter 2 NAC Deployment Models ContentsAbout This Guide Chapter 1 OverviewChapter 3 Use Scenarios Chapter 5 Design ProceduresChapter 4 Design Planning Tables FiguresPage Intended Audience About This GuideRelated Documents Getting Help Key Functionality NAC Solution OverviewAuthentication OverviewRemediation AuthorizationDeployment Models AssessmentModel 1 End-system Detection and Tracking Model 2 End-System AuthorizationModel 3 End-System Authorization with Assessment Model 4 End-System Authorization with Assessment and RemediationThe NAC Appliance NAC Solution ComponentsAuthorization Authorization withNAC Controller Appliance NAC Gateway ApplianceThe NAC Controller is available in two models NAC Gateway Appliance ComparisonTable 1-2 Comparison of Appliance Functionality NAC FunctionNAC Controller FeaturesTable 1-3 Comparison of Appliance Advantages and Disadvantages NAC GatewayNAC Gateway NetSight ManagementNetSight NAC Manager FeaturesNetSight Console SummaryRADIUS Server Assessment ServerEnterasys offers two types of NAC appliances 1-12 Overview SummaryOut-of-Band NAC NAC Deployment ModelsModel 1 End-System Detection and Tracking ImplementationIP-to-ID functionality for Security Information Management SIM Features and ValueInline NAC Layer End-System and User TrackingComponent Model 2 End-System AuthorizationRequired and Optional Components Table 2-1 Component Requirements for Detection and TrackingOut-of-Band NAC Inline NACAuthorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switch ImplementationDevice-Based Authorization Location-Based AuthorizationFeatures and Value MAC Registration User-Based AuthorizationRequired and Optional Components Table 2-2 Component Requirements for AuthorizationPost-Connect NAC integration with NetSight Automated Security Manager AuthorizationOut-of-Band NAC Model 3 End-System Authorization with AssessmentModel 3 End-System Authorization with Assessment ImplementationInline NAC Features and Value Extensive Security Posture Compliance VerificationDiverse Security Posture Compliance Verification Required and Optional Components Model 4 End-System Authorization with Assessment and RemediationTable 2-3 Component Requirements for Authorization with Assessment Authorization withOut-of-Band NAC ImplementationFeatures and Value Self-Service RemediationInline NAC Assessment and Authorization withRequired and Optional Components ComponentSummary Table 2-5 Enterasys NAC Deployment ModelsDeployment Model ValueUse Scenarios Scenario 1 Intelligent Wired Access EdgeAuthentication Policy-Enabled EdgeSwitch AuthenticateVLAN=Quarantine RFC 3580 Capable EdgeScenario 1 Intelligent Wired Access Edge 3rd Party SwitchScenario 1 Implementation Thin Wireless Edge Scenario 2 Intelligent Wireless Access EdgeVLAN=Quarantine AccessWireless Intelligent WirelessAssessment Authentication Thick Wireless EdgePoint5 Scenario 2 Intelligent Wireless Access Edge Scenario 2 Implementation3-8 Use Scenarios Scenario 3 Non-intelligent Access Edge Wired and Wireless Figure 3-5 Non-intelligent Access Edge Wired and Wireless Layer 3 Wired LANLayer 2 Wired LAN Layer 2 Wireless LANScenario 3 Implementation Scenario 4 VPN Remote Access4 Controller Figure 3-6 VPN Remote AccessScenario 4 Implementation NAC ManagerSummary Table 3-1 Use Scenario SummariesUse Scenario Summary and Appliance RequirementsSummary Table 3-1 Use Scenario Summaries continuedUse Scenario Summary and Appliance RequirementsIdentify the NAC Deployment Model Design Planning1. Identify the Intelligent Edge of the Network Survey the NetworkPolicy‐enabled Enterasys devices at the physical edge of the network Figure 4-1 Network with Intelligent EdgeCase #1 No authentication method is deployed on the network 2. Evaluate Policy/VLAN and Authentication ConfigurationFigure 4-2 Network with Non-Intelligent Edge Overview of Supported Authentication Methods Case #2 Authentication methods are deployed on the networkMAC Authentication Support of Multiple Authentication MethodsEnd-System Capabilities Support for Multiple End-System ConnectionAuthentication Considerations Authentication Support on Enterasys Devices3. Identify the Strategic Point for End-System Authorization 4. Identify Network Connection Methods Wired LANWireless LAN Thick Wireless DeploymentsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN Procedures for Out-of-Band and Inline NAC Design Procedures1. Identify Required NetSight Applications Procedures for Out-of-Band and Inline NAC 2. Define Network Security Domains5-2 Design Procedures Figure 5-1 Security Domain NAC ConfigurationsAuthentication Figure 5-2 NAC ConfigurationAssessment How health results are processed AuthorizationProcedures for Out-of-Band and Inline NAC Figure 5-3 NAC Configuration for a Security Domain5-6 Design Procedures Examples Table 5-1 Security Domain Configuration GuidelinesSecurity Domain Configuration Network ScenarioExamples Table 5-1 Security Domain Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioExamples Table 5-1 Security Domain Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioExamples Table 5-2 Security Domain Configuration Guidelines for AssessmentSecurity Domain Configuration Network ScenarioExamples Security Domain ConfigurationProcedures for Out-of-Band and Inline NAC Network ScenarioMAC Overrides 3. Identify Required MAC and User OverridesProcedures for Out-of-Band and Inline NAC Figure 5-4 MAC and User Override ConfigurationEnterasys NAC Design Guide Examples Table 5-3 MAC Override Configuration GuidelinesSecurity Domain Configuration Network ScenarioExamples Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioNetwork Scenario User OverridesTable 5-3 MAC Override Configuration Guidelines continued Security Domain Configuration1. Determine the Number of Assessment Servers Assessment Design Procedures2. Determine Assessment Server Location 3. Identify Assessment Server Configuration1. Identify Network Authentication Configuration Out-of-Band NAC Design ProceduresConcurrent End-Systems Supported 2. Determine the Number of NAC GatewaysTable 5-4 End-System Limits for NAC Gateways NAC Gateway ModelFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 5. Determine End-System Mobility Restrictions 4. Identify Backend RADIUS Server Interaction7. Policy Role Configuration 6. VLAN Configuration8. Define NAC Access Policies Assessment Policy and Quarantine Policy Configuration Failsafe Policy and Accept Policy ConfigurationAssessment Policy Figure 5-6 Policy Role Configuration in NetSight Policy ManagerQuarantine Policy Figure 5-7 Service for the Assessing RoleUnregistered Policy Inline NAC Design ProceduresFigure 5-8 Service for the Quarantine Role 1. Determine NAC Controller LocationHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security Concurrent End-Systems Supported 2. Determine the Number of NAC ControllersTable 5-5 End-System Limits for NAC Controllers NAC Controller ModelFigure 5-10 Layer 3 NAC Controller Redundancy Figure 5-9 Layer 2 NAC Controller RedundancyAssessment Policy and Quarantine Policy Configuration 4. Define Policy Configuration3. Identify Backend RADIUS Server Interaction Failsafe Policy and Accept Policy ConfigurationUnregistered Policy Additional ConsiderationsNAC Deployment With an Intrusion Detection System IDS NAC Deployment With NetSight ASMAdditional Considerations 5-34 Design Procedures