Enterasys Networks 9034385 manual Additional Considerations, NAC Deployment With NetSight ASM

Additional Considerations

assessment servers to reach the end‐system while it is being assessed, regardless of whether the Assessing policy, Enterprise User policy, or any other policy role is utilized for assessment.

The Quarantine Policy is used to restrict network access to end‐systems that have failed assessment. The Quarantine policy role is configured by default on the NAC Controller to be used as the Quarantine Policy in NAC Manager. This policy is restrictive, allowing DNS and DHCP, and redirecting web traffic to serve back a web page stating the end‐system has been restricted access because it is deemed noncompliant. All other types of traffic are discarded. If it is desired to open network access when an end‐system fails the assessment, the use of the Quarantine Policy can be disabled in the NAC Configuration or the Enterprise User policy role can be selected as the Quarantine Policy.

Unregistered Policy

If MAC (network) registration is to be configured on Layer 2 NAC Controllers, the Unregistered policy role configured by default on the NAC Controller can be used for the Accept Policy of unregistered devices. This policy is restrictive, allowing DNS and DHCP, and redirecting web traffic to serve back a registration web page stating the end‐system has been restricted access because it has not yet registered. All other types of traffic are discarded.

Additional Considerations

This section presents additional design considerations for both inline and out‐of‐band NAC deployments.

NAC Deployment With an Intrusion Detection System (IDS)

NAC deployments that implement end‐system assessment complement networking environments with IDS technologies that detect real‐time security events on the network. While end‐system assessment determines the security posture of connecting devices and mitigates threats posed by vulnerable end‐systems, it does not determine the end userʹs intentions, whether malicious or benevolent. Therefore, IDS technologies can monitor how an end‐system utilizes network resources after NAC has validated the security posture compliance of the end‐system.

However, end‐system assessments utilized in NAC may be classified by an IDS (depending on its configuration) as an attack. Therefore, if the traffic from the assessment server traverses a network link that is monitored by an IDS sensor, the IDS must be configured to not generate security events for traffic sourced from the assessment server’s IP address. The same applies for IPS systems.

NAC Deployment With NetSight ASM

NetSight ASM can be configured to notify the locally installed NAC Manager to dynamically configure a MAC override for a threat MAC address on the network. When a security threat is detected on the network, either through Enterasys Dragon IDS or a third‐party device, and the security threat is communicated to NetSight ASM for an automated response, ASM can then quarantine the source of the attack at the port of connection using policy, and also communicate this quarantine action to NAC. If the end‐system sourcing the security threat moves to a different port on the network, the end‐system will remain quarantined, due to a dynamically configured MAC override, to protect the network from the possibility of future attacks. Therefore, the deployment of NAC not only proactively protects the network from security threats posed by vulnerable end‐systems, but it also empowers the networkʹs dynamic response characteristics to real‐time threats detected from end‐systems.

Enterasys NAC Design Guide 5-33