Procedures for Out-of-Band and Inline NAC

Table 5-1 Security Domain Configuration Guidelines (continued)

Network Scenario

Examples

Security Domain Configuration

 

 

 

Area of the network that

• Switches that provide access to

provides access to a group of

guest users or contractors on a

users or devices that pose a

corporate network. These users are

potentially high risk to the

usually not directly under the

security or stability of the

administrative control of IT

network.

operations and pose additional risks

 

to the network.

 

• Switches that provide access to

 

users within an organization that are

 

allowed to engage in high risk

 

behaviors on the network, or are not

 

protected by security mechanisms

 

such as a firewall or Intrusion

 

Detection Systems (IDS). A sales

 

organization that uses the Internet

 

as a necessary part of their job, or a

 

branch office location that is not

 

protected by a firewall would both be

 

characterized as high risk groups of

 

users.

 

• Wireless Access Points (APs) that

 

are configured with an open wireless

 

network or a wireless network that is

 

secured through weak

 

authentication/encryption

 

mechanisms such as WEP. End-

 

systems on these networks pose a

 

greater risk to the organization

 

because access to the network by

 

untrusted users is easier.

 

 

Area of the network that is more

• Switches that front-end a distribution

apt to affect the network's

layer device that often crashes in the

overall security or stability.

event of security threats or other

 

events on the network. Assigning a

 

more restrictive policy to these end-

 

systems protects against the

 

instability of the infrastructure

 

devices.

 

 

Area of the network where

• Switches that provide access to

authentication is not deployed

conference rooms, libraries, and

and open network access is

other areas commonly used by

available.

untrusted users.

 

• Access points that provide guest

 

access to an open SSID.

Impose a more restrictive set of network resources in the authorization of connecting end- systems, and execute a thorough security posture assessment of connecting end-systems (if assessment is implemented on the network).

These measures limit the network exposure to security threat propagation and protect against network instability.

In NAC Manager, create a Security Domain with the following configuration attributes:

With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a restrictive policy or VLAN in the Accept Policy field. Furthermore, a more extensive Assessment Configuration may be selected to scan these devices with a larger set of assessment parameters.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a more restrictive policy.

Configure the Accept Policy with a policy or VLAN that provides more restrictive network access for end-systems posing a higher risk.

5-8 Design Procedures

Page 71 Page 73
Page 72
Image 72
Enterasys Networks 9034385 manual To the network
Page 71 Page 73

9034385 specifications

Enterasys Networks 9034385 is a powerful networking component designed to enhance enterprise-level connectivity and ensure robust network management capabilities. This device offers a wide range of features that cater to the demanding requirements of modern businesses, focusing on performance, reliability, and security.

One of the main features of the Enterasys Networks 9034385 is its advanced Layer 2 and Layer 3 switching capabilities, which enable efficient data processing and robust network performance. With support for various VLAN configurations, the device allows organizations to segment their networks effectively, leading to improved security and better traffic management.

Another critical aspect of the 9034385 is its support for high-speed connectivity. The device features multiple gigabit Ethernet ports, providing sufficient bandwidth for data-intensive applications commonly used in enterprise environments. The high-speed connections ensure that users can access applications and data quickly and reliably, minimizing latency issues that can affect productivity.

In terms of management, Enterasys Networks has equipped the 9034385 with advanced monitoring and diagnostic tools. These capabilities allow network administrators to track performance metrics, identify potential issues proactively, and make informed decisions about network resource allocation. The inclusion of SNMP (Simple Network Management Protocol) facilitates seamless integration with network management systems, providing comprehensive oversight of network health and performance.

Security is a paramount consideration for the 9034385, which incorporates advanced security protocols to protect sensitive data. Features such as port security, DHCP snooping, and dynamic ARP inspection help safeguard the network against unauthorized access and cyber threats. Furthermore, the device supports authentication mechanisms like 802.1X, ensuring that only authorized users and devices can connect to the network.

The Enterasys Networks 9034385 also stands out due to its seamless integration with cloud-based services and support for virtualization technologies. This compatibility enables organizations to adopt flexible architectures and manage their resources more efficiently. Additionally, the device is designed with scalability in mind, allowing businesses to expand their networks without significant hardware changes or disruptions.

Overall, the Enterasys Networks 9034385 is a versatile and powerful networking solution ideal for enterprises looking to enhance their network infrastructure while ensuring performance, security, and ease of management. The combination of advanced features and technologies makes it a valuable asset for businesses of all sizes striving for efficient and reliable connectivity.
Top Page Image Contents