Manuals / Enterasys Networks / Household Appliance / Plumbing Product

Enterasys Networks 9034385 manual Identify Required MAC and User Overrides, MAC Overrides

Models: 9034385

1 98

Download 98 pages 26.86 Kb

Page 76

Procedures for Out-of-Band and Inline NAC

3. Identify Required MAC and User Overrides

MAC and user overrides are used to handle end‐systems that require a different set of authentication, assessment, and authorization parameters from the rest of the end‐systems in a Security Domain. A MAC or user override can be defined within the scope of a specific Security Domain or all Security Domains. An override scoped to a specific Security Domain lets you specify how an end‐system is authenticated, assessed, and authorized whenever the end‐system connects to the network in that particular Security Domain. A global override lets you specify how an end‐system is authenticated, assessed, and authorized whenever the end‐system connects to any Security Domain on the network.

Use the network scenarios and examples provided in this section to determine what MAC and user overrides are required for your NAC deployment.

MAC Overrides

A MAC override lets you create a configuration for a single end‐system (based on a full MAC address) or for a group of end‐systems (based on a MAC OUI, a MAC OUI Group or a Custom MAC Mask). For example, you could create a MAC override that allocates VoIP services to certain IP phones based on a MAC OUI group. Or, you could deny a specific end‐system by creating a MAC override that quarantines the MAC address of that end‐system and restricts its network access.

5-12 Design Procedures

Image 76

Enterasys Networks 9034385 manual Identify Required MAC and User Overrides, MAC Overrides

Contents

Enterasys Network Access ControlDesign Guide Page Enterasys Networks, Inc 50 Minuteman Road Andover, MA Page Contents About This GuideChapter 1 Overview Chapter 2 NAC Deployment ModelsChapter 3 Use Scenarios Chapter 5 Design ProceduresChapter 4 Design Planning Figures TablesPage Intended Audience About This GuideRelated Documents Getting Help NAC Solution Overview AuthenticationOverview Key FunctionalityAuthorization Deployment ModelsAssessment RemediationModel 2 End-System Authorization Model 3 End-System Authorization with AssessmentModel 4 End-System Authorization with Assessment and Remediation Model 1 End-system Detection and TrackingNAC Solution Components AuthorizationAuthorization with The NAC ApplianceNAC Gateway Appliance NAC Controller ApplianceThe NAC Controller is available in two models Appliance Comparison Table 1-2 Comparison of Appliance FunctionalityNAC Function NAC GatewayFeatures Table 1-3 Comparison of Appliance Advantages and DisadvantagesNAC Gateway NAC ControllerNetSight Management NetSight NAC ManagerFeatures NAC GatewaySummary RADIUS ServerAssessment Server NetSight ConsoleEnterasys offers two types of NAC appliances Summary 1-12 OverviewNAC Deployment Models Model 1 End-System Detection and TrackingImplementation Out-of-Band NACFeatures and Value Inline NAC LayerEnd-System and User Tracking IP-to-ID functionality for Security Information Management SIMModel 2 End-System Authorization Required and Optional ComponentsTable 2-1 Component Requirements for Detection and Tracking ComponentInline NAC Authorization ‐ The NAC Gateway allocates the appropriate network resources to the end‐system based on device identity, user identity, and location. For Enterasys policy‐enabled edge switches, the NAC Gateway formats information in the RADIUS authentication messages that directs the edge switch to dynamically assign a particular policy to the connecting end‐system. For RFC 3580‐ capable edge switches, the NAC Gateway formats information in the RADIUS authentication messages in the form of RFC 3580 VLAN Tunnel attributes that directs the edge switch to dynamically assign a particular VLAN to the connecting end‐system. The NAC Gateway may deny the end‐system access to the network by sending a RADIUS Access‐Reject message to the edge switch or assign the end‐system a set of network resources by specifying a particular policy or VLAN to assign to the authenticated end‐system on the edge switchImplementation Out-of-Band NACDevice-Based Authorization Location-Based AuthorizationFeatures and Value User-Based Authorization MAC RegistrationTable 2-2 Component Requirements for Authorization Post-Connect NAC integration with NetSight Automated Security ManagerAuthorization Required and Optional ComponentsModel 3 End-System Authorization with Assessment Model 3 End-System Authorization with AssessmentImplementation Out-of-Band NACInline NAC Extensive Security Posture Compliance Verification Features and ValueDiverse Security Posture Compliance Verification Model 4 End-System Authorization with Assessment and Remediation Table 2-3 Component Requirements for Authorization with AssessmentAuthorization with Required and Optional ComponentsImplementation Out-of-Band NACFeatures and Value Self-Service RemediationInline NAC Authorization with Required and Optional ComponentsComponent Assessment andTable 2-5 Enterasys NAC Deployment Models Deployment ModelValue SummaryScenario 1 Intelligent Wired Access Edge Use ScenariosPolicy-Enabled Edge SwitchAuthenticate AuthenticationRFC 3580 Capable Edge Scenario 1 Intelligent Wired Access Edge3rd Party Switch VLAN=QuarantineScenario 1 Implementation Scenario 2 Intelligent Wireless Access Edge Thin Wireless EdgeAccess WirelessIntelligent Wireless VLAN=QuarantineAssessment Authentication Thick Wireless EdgePoint5 Scenario 2 Intelligent Wireless Access Edge Scenario 2 Implementation3-8 Use Scenarios Scenario 3 Non-intelligent Access Edge Wired and Wireless Layer 3 Wired LAN Layer 2 Wired LANLayer 2 Wireless LAN Figure 3-5 Non-intelligent Access Edge Wired and WirelessScenario 4 VPN Remote Access Scenario 3 ImplementationFigure 3-6 VPN Remote Access Scenario 4 ImplementationNAC Manager 4 ControllerTable 3-1 Use Scenario Summaries Use ScenarioSummary and Appliance Requirements SummaryTable 3-1 Use Scenario Summaries continued Use ScenarioSummary and Appliance Requirements SummaryDesign Planning Identify the NAC Deployment ModelSurvey the Network 1. Identify the Intelligent Edge of the NetworkFigure 4-1 Network with Intelligent Edge Policy‐enabled Enterasys devices at the physical edge of the networkCase #1 No authentication method is deployed on the network 2. Evaluate Policy/VLAN and Authentication ConfigurationFigure 4-2 Network with Non-Intelligent Edge Case #2 Authentication methods are deployed on the network Overview of Supported Authentication MethodsSupport of Multiple Authentication Methods End-System CapabilitiesSupport for Multiple End-System Connection MAC AuthenticationAuthentication Support on Enterasys Devices Authentication Considerations3. Identify the Strategic Point for End-System Authorization Wired LAN Wireless LANThick Wireless Deployments 4. Identify Network Connection MethodsThin Wireless Deployments Remote Access WANSite-to-Site VPN Identify Inline or Out-of-band NAC Deployment Remote Access VPNSummary Wired LAN Wireless LAN Remote Access WAN Site‐to‐Site VPN Procedures for Out-of-Band and Inline NAC Design Procedures1. Identify Required NetSight Applications Procedures for Out-of-Band and Inline NAC 2. Define Network Security Domains5-2 Design Procedures NAC Configurations Figure 5-1 Security DomainAuthentication Figure 5-2 NAC ConfigurationAssessment Authorization How health results are processedProcedures for Out-of-Band and Inline NAC Figure 5-3 NAC Configuration for a Security Domain5-6 Design Procedures Table 5-1 Security Domain Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-1 Security Domain Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesTable 5-2 Security Domain Configuration Guidelines for Assessment Security Domain ConfigurationNetwork Scenario ExamplesSecurity Domain Configuration Procedures for Out-of-Band and Inline NACNetwork Scenario Examples3. Identify Required MAC and User Overrides MAC OverridesProcedures for Out-of-Band and Inline NAC Figure 5-4 MAC and User Override ConfigurationEnterasys NAC Design Guide Table 5-3 MAC Override Configuration Guidelines Security Domain ConfigurationNetwork Scenario ExamplesTable 5-3 MAC Override Configuration Guidelines continued Security Domain ConfigurationNetwork Scenario ExamplesUser Overrides Table 5-3 MAC Override Configuration Guidelines continuedSecurity Domain Configuration Network ScenarioAssessment Design Procedures 1. Determine the Number of Assessment Servers3. Identify Assessment Server Configuration 2. Determine Assessment Server LocationOut-of-Band NAC Design Procedures 1. Identify Network Authentication Configuration2. Determine the Number of NAC Gateways Table 5-4 End-System Limits for NAC GatewaysNAC Gateway Model Concurrent End-Systems SupportedFigure 5-5 NAC Gateway Redundancy 3. Determine NAC Gateway Location 4. Identify Backend RADIUS Server Interaction 5. Determine End-System Mobility Restrictions7. Policy Role Configuration 6. VLAN Configuration8. Define NAC Access Policies Failsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationFigure 5-6 Policy Role Configuration in NetSight Policy Manager Assessment PolicyFigure 5-7 Service for the Assessing Role Quarantine PolicyInline NAC Design Procedures Figure 5-8 Service for the Quarantine Role1. Determine NAC Controller Location Unregistered PolicyHowever, the closer the NAC Controller is placed to the edge of the network, the more NAC Controllers are required on the network, increasing NAC deployment cost and complexity. Conversely, when moving the NAC Controller towards the core of the network, fewer NAC Controllers are required, decreasing NAC deployment cost and complexity, but also decreasing the level of security 2. Determine the Number of NAC Controllers Table 5-5 End-System Limits for NAC ControllersNAC Controller Model Concurrent End-Systems SupportedFigure 5-9 Layer 2 NAC Controller Redundancy Figure 5-10 Layer 3 NAC Controller Redundancy4. Define Policy Configuration 3. Identify Backend RADIUS Server InteractionFailsafe Policy and Accept Policy Configuration Assessment Policy and Quarantine Policy ConfigurationAdditional Considerations NAC Deployment With an Intrusion Detection System IDSNAC Deployment With NetSight ASM Unregistered Policy5-34 Design Procedures Additional Considerations