Enterasys Networks 9034385 1 Security Domain Configuration Guidelines continued, Network Scenario

Area of the network that is configured to allow access only to specific end-systems or users.

•Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks.

For the NAC Gateway, reject all RADIUS authentication attempts. For the NAC Controller, set the Accept Policy to a highly restrictive policy or VLAN such as “Deny All.“

This allows the administrator to locally authorize specific MAC addresses or users by using MAC and user overrides, and rejecting all other connection attempts to the network.

Area of the network that provides access to a group of users or devices that pose a guaranteed low risk to the security and stability of the network.

•Switches that provide network access to servers that are highly protected from attack through the implementation of firewalls as well as network-based and host-based IDS.

•Switches that provide network access to end-systems that are highly managed and restricted from risky network behaviors, such as end-systems that are restricted from Internet access and always kept up- to-date with the latest anti-virus and anti-malware definitions. This may include devices restricted to communication on the private LAN, and data center or network IT operations devices.

Authorize connecting end-systems with a less restrictive set of network resources, and either don’t implement assessment, or implement assessment less frequently and with fewer parameters.

In NAC Manager, create a Security Domain with the following configuration attributes:

•With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a non-restrictive policy or VLAN in the Accept Policy field.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a less restrictive policy or VLAN.

It should be noted that this configuration may open the network to security threats, and should be reviewed carefully before being implemented.

Area of the network that provides access to a group of users or devices that will be allocated a different set of network resources based on their location on the network.

•Switches that provide access to both trusted and untrusted users on the network, such as conference rooms and cafeterias. These areas can be configured to restrict trusted user access to servers containing sensitive information. This protects against the possibility that an untrusted user obtains access to a trusted user's computer that is logged into the network, or that an untrusted user eavesdrops on sensitive material being viewed by adjacent trusted users.

Impose the level of authorization based on requirements of IT operations.

In NAC Manager, create a Security Domain with the following configuration attributes:

•With the “Proxy RADIUS Request to a RADIUS Server” radio button selected, check the “Replace RADIUS Attributes with Accept Policy” option and specify a policy or VLAN in the Accept Policy field.

This allows the administrator to locally authorize MAC authentication requests and overwrite the policy information returned from the RADIUS server with a different policy based on the network location of an end- system.