Enterasys 9034385 manual

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98

Ir a la página of

Buen manual de instrucciones

Las leyes obligan al vendedor a entregarle al comprador, junto con el producto, el manual de instrucciones Enterasys 9034385. La falta del manual o facilitar información incorrecta al consumidor constituyen una base de reclamación por no estar de acuerdo el producto con el contrato. Según la ley, está permitido adjuntar un manual de otra forma que no sea en papel, lo cual últimamente es bastante común y los fabricantes nos facilitan un manual gráfico, su versión electrónica Enterasys 9034385 o vídeos de instrucciones para usuarios. La condición es que tenga una forma legible y entendible.

¿Qué es un manual de instrucciones?

El nombre proviene de la palabra latina “instructio”, es decir, ordenar. Por lo tanto, en un manual Enterasys 9034385 se puede encontrar la descripción de las etapas de actuación. El propósito de un manual es enseñar, facilitar el encendido o el uso de un dispositivo o la realización de acciones concretas. Un manual de instrucciones también es una fuente de información acerca de un objeto o un servicio, es una pista.

Desafortunadamente pocos usuarios destinan su tiempo a leer manuales Enterasys 9034385, sin embargo, un buen manual nos permite, no solo conocer una cantidad de funcionalidades adicionales del dispositivo comprado, sino también evitar la mayoría de fallos.

Entonces, ¿qué debe contener el manual de instrucciones perfecto?

Sobre todo, un manual de instrucciones Enterasys 9034385 debe contener:
- información acerca de las especificaciones técnicas del dispositivo Enterasys 9034385
- nombre de fabricante y año de fabricación del dispositivo Enterasys 9034385
- condiciones de uso, configuración y mantenimiento del dispositivo Enterasys 9034385
- marcas de seguridad y certificados que confirmen su concordancia con determinadas normativas

¿Por qué no leemos los manuales de instrucciones?

Normalmente es por la falta de tiempo y seguridad acerca de las funcionalidades determinadas de los dispositivos comprados. Desafortunadamente la conexión y el encendido de Enterasys 9034385 no es suficiente. El manual de instrucciones siempre contiene una serie de indicaciones acerca de determinadas funcionalidades, normas de seguridad, consejos de mantenimiento (incluso qué productos usar), fallos eventuales de Enterasys 9034385 y maneras de solucionar los problemas que puedan ocurrir durante su uso. Al final, en un manual se pueden encontrar los detalles de servicio técnico Enterasys en caso de que las soluciones propuestas no hayan funcionado. Actualmente gozan de éxito manuales de instrucciones en forma de animaciones interesantes o vídeo manuales que llegan al usuario mucho mejor que en forma de un folleto. Este tipo de manual ayuda a que el usuario vea el vídeo entero sin saltarse las especificaciones y las descripciones técnicas complicadas de Enterasys 9034385, como se suele hacer teniendo una versión en papel.

¿Por qué vale la pena leer los manuales de instrucciones?

Sobre todo es en ellos donde encontraremos las respuestas acerca de la construcción, las posibilidades del dispositivo Enterasys 9034385, el uso de determinados accesorios y una serie de informaciones que permiten aprovechar completamente sus funciones y comodidades.

Tras una compra exitosa de un equipo o un dispositivo, vale la pena dedicar un momento para familiarizarse con cada parte del manual Enterasys 9034385. Actualmente se preparan y traducen con dedicación, para que no solo sean comprensibles para los usuarios, sino que también cumplan su función básica de información y ayuda.

Índice de manuales de instrucciones

  • Página 1

    Enterasys ® Network Access Control Design Guide P/N 9034385[...]

  • Página 2

    [...]

  • Página 3

    i Notice Enterasys Networks  reserves  the  right  to  make  changes  in  specifications  and  other  information  contained  in  this  document  and  its  web  si te  without  prior  notice.  The  reader  should  in  all  cases  co nsult  Enterasys Netw orks [...]

  • Página 4

    ii[...]

  • Página 5

    iii Contents About This Guide Intended Audience .......... ............. ................. ............ ................. ............. ................ ........... .................. ............. vii Related Documents ............... ............. ................ ............. ................ ............. ................ ....... ............ [...]

  • Página 6

    iv Chapter 3: Use Scenarios Scenario 1: Intelligent Wired Access E dge ............ ............. ................ ................ ............. ............... ..... ........... 3-1 Policy-Enabled Edge ................. ............. ............ ................. ............. ............ ............. .......... ................ ..... 3-2 RFC [...]

  • Página 7

    v Unregistered Policy ................... ............. ............. ................ ............. ................ ............. ..... .............. 5-28 Inline NAC Design Procedures ........... ................ ............. ................ ................ ............. ............. .......... ......... 5-28 1. Determine NAC Contro ller Loc[...]

  • Página 8

    vi[...]

  • Página 9

    Enterasys NAC Design Gu ide vii About This Guide The  NAC  Design  Guide  describes  the  technical  considerations  for  the  planning  and  design  of  the  Enterasys  Netw ork  Access  Contr ol  (NAC)  solution.  The  guide  includes  the  following  information: Inten[...]

  • Página 10

    Getting Help viii About This Guide •E n t e r a s y s  NA C  Manager  Online  Help.  Explains  how  to  use  NAC  Manager  to  configure  you r  NAC  appliances,  and  to  put  in  place  authenti cation  and  assessment  requirements  for  the  end ‐ systems  a[...]

  • Página 11

    Enterasys NAC Design Guide 1-1 1 Overview This  chapter  provides  an  overview  of  the  Enterasys  Network  Access  Control  (NAC)  solution,  including  a  descripti on  of  key  NAC  functions  and  deployment  models.  It  also  introd uces  the  required  and [...]

  • Página 12

    NAC Solution Overview 1-2 Overview Assessment Determine  if  th e  device  complies  with  corporate  security  and  configuration  requirements,  such  as  operating  system  patch  revision  levels  and  anti virus  signature  definitions.  Other  security  compliance  req[...]

  • Página 13

    NAC Solution Overview Enterasys NAC Design Guide 1-3 Model 1: End-system Detection and T racking This  NAC  deployment  model  implements  the  detection  piece  of  NAC  functionality .  It  supports  the  ability  to  track  users  and  end ‐ sys tems  over  time  by  identify[...]

  • Página 14

    NAC Solution Components 1-4 Overview NAC Solution Component s This  section  discusses  the  required  and  optional  components  of  the  Enterasys  NAC  solution,  beginning  with  the  following  table  that  summarizes  the  component  requirements  for  each  of  the[...]

  • Página 15

    NAC Solution Components Enterasys NAC Design Guide 1-5 Enterasys  offers  two  types  of  NA C  appliances:  the  NAC  Gatew ay  appliance  implements  out ‐ of ‐ band  network  access  control,  and  the  NAC  Controller  appliance  implements  inline  network  access  [...]

  • Página 16

    NAC Solution Components 1-6 Overview of  supporting  authentication  and/or  authorization.  The  NAC  Controller  is  also  required  in  IPSec  and  SSL  VPN  deployments.  The  NAC  Controller  provides  integrated  vulnerability  assessment  serv er  functionality  an[...]

  • Página 17

    NAC Solution Components Enterasys NAC Design Guide 1-7 Appliance Comp arison The  following  table  compares  how  the  two  NA C  appliance  types  implement  the  five  NAC  functions. T able 1-2 Comp arison of Appliance Funct ionality NAC Function NAC Gateway NAC Controller Detection RADIUS authenticatio[...]

  • Página 18

    NAC Solution Components 1-8 Overview Ta b l e 1 ‐ 3  outlines  the  advantages  and  disadv antages  of  the  two  appliance  types  as  they  pertain  to  network  securi ty ,  scalabilit y ,  and  configuration/implementation. T able 1-3 Comp arison of Appliance Adva ntag es and Disadvant[...]

  • Página 19

    NAC Solution Components Enterasys NAC Design Guide 1-9 NetSight Management The  NAC  appliances  are  configured,  monit ored,  and  managed  through  management  applications  within  the  Enterasys  NetSight  Suite.  Net Sight  is  a  family  of  products  comprised  of  NetS[...]

  • Página 20

    Summary 1-10 Overview NetSight Console NetSight  Console  is  used  to  monitor  the  health  and  status  of  infrastructure  devices  in  the  netw ork,  including  switches,  routers,  Enterasys  NAC  appliances  (NAC  Gatew ays  and  NAC  Controllers)  as  wel l[...]

  • Página 21

    Summary Enterasys NAC Design Guide 1 -11 •M o d e l  3:  End ‐ Syst em  Authorization  with  Assessment ‐ Implements  detection ,  authentication ,  assessment ,  and  authorization  to  provide  network  access  control  based  on  the  security  posture  of  a  conne[...]

  • Página 22

    Summary 1-12 Overview[...]

  • Página 23

    Enterasys NAC Design Guide 2-1 2 NAC Deployment Models This  chapter  descri bes  the  four  NAC  deployment  models  and  how  they  build  on  each  other  to  provide  a  complete  NAC  solution.  The  first  model  imple ments  a  subset  of  the  fiv e  k[...]

  • Página 24

    Model 1: End-System Detection and Tracking 2-2 NAC Deployment Models RADIUS  Access ‐ Accept  or  Access ‐ Reject  message  received  from  the  upstream  RADIUS  server ,  is  returned  without  modification  to  the  access  edge  switch,  to  permit  end ‐ system  access [...]

  • Página 25

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-3 and  information  on  the  network.  Enteras ys  NAC  can  be  leveraged  to  provide  information  to  SIM  solutions,  by  mapping  an  IP  address  to  an  identity ,  such  as  a  MAC  address  [...]

  • Página 26

    Model 2: End-System Authorization 2-4 NAC Deployment Models device  ide ntity ,  us er  identity ,  and/or  location  information  is  used  to  authorize  the  connecting  end ‐ system  with  a  certain  level  of  netw ork  access.  It  is  important  to  note  that ?[...]

  • Página 27

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-5 The  NAC  Controller  may  eithe r  deny  the  end ‐ system  access  to  the  network  or  assign  the  end ‐ system  to  a  particular  set  of  networ k  reso urces  by  specifying  a  particular  p[...]

  • Página 28

    Model 2: End-System Authorization 2-6 NAC Deployment Models is  only  provisioned  by  the  Enterasys  NAC  sol ution  when  the  devices  connect  to  switches  in  the  Network  Operations  Center  (NOC).  This  level  of  granularity  in  provisioning  access  to ?[...]

  • Página 29

    Model 2: End-System Authorization Enterasys NAC Design Guide 2-7 a  password  in  the  registration  web  page.  This  sponsor  username  and  passw ord  can  be  va l i d a te d  agai nst  an  existing  database  on  the  netw ork  to  authentica te  the  sponsor ʹ s  i[...]

  • Página 30

    Model 3: End-System Authorization with Assessment 2-8 NAC Deployment Models A  RADIUS  serv er  is  only  required  if  out ‐ of ‐ band  netw ork  access  control  using  the  NAC  Gatewa y ,  or  inline  netw ork  access  control  using  the  Layer  2  NAC  Co ntroller [...]

  • Página 31

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2-9 server  is  running  or  if  the  HTTP  server  is  out ‐ of ‐ date)  and  client ‐ side  checks  (run ning  applications,  softw are  configurations,  instal led  operating  system  patches)  provide[...]

  • Página 32

    Model 3: End-System Authorization with Assessment 2-10 NAC Deployment Models Features and V alue In  addition  to  the  features  and  val u e s  found  in  Model  1  and  Model  2,  the  following  are  key  pieces  of  functionality  and  va lu e  propositions  supported  [...]

  • Página 33

    Model 3: End-System Authorization with Assessment Enterasys NAC Design Guide 2 -11 •A p p l i c a t i o n  configuration The  NAC  solution  can  determine  which  services  and  applications  are  installed  and  enabled  on  the  end ‐ system.  Certain  applications  should  be  r[...]

  • Página 34

    Model 4: End-System Authorization with Assessment and Remediation 2-12 NAC Deployment Models Required and Optional Component s This  section  summarizes  the  required  and  optional  components  for  Mod el  3. . The  NAC  Gatew ay  and  NAC  Controller  are  the  NAC  appliances  used ?[...]

  • Página 35

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -13 Assisted  remediation  informs  end  users  when  their  end ‐ systems  have  been  quarantin ed  due  to  network  securi ty  policy  non ‐ compliance,  and  allows  end  users  to ?[...]

  • Página 36

    Model 4: End-System Authorization with Assessment and Remediation 2-14 NAC Deployment Models Inline NAC For  inline  Enterasys  NAC  deployments  utilizing  the  Lay er  2  or  Layer  3  NAC  Controller ,  the  NAC  functions  are  implemented  in  the  following  way : Detection [...]

  • Página 37

    Model 4: End-System Authorization with Assessment and Reme diation Enterasys NAC Design Guide 2 -15 traffic  with  specific  source  and  destination  cha racteristics  as  well  as  specific  app lication  identifiers  (UDP/TCP  ports).  In  addi tion,  the  Enterasys  NAC  solution  w[...]

  • Página 38

    Summary 2-16 NAC Deployment Models Summary Enterasys  supports  all  of  the  five  key  NAC  functions:  detection,  authentication,  assessment,  authorization,  and  remediation.  Howev er ,  not  all  fiv e  functions  need  to  be  implemented  concurrently  in  a ?[...]

  • Página 39

    Enterasys NAC Design Guide 3-1 3 Use Scenarios This  chapter  describes  four  NAC  use  scenarios  that  illustrate  how  the  type  of  NAC  deployment  is  directly  dependent  on  the  infrastructure  devices  deployed  in  the  netw ork.  For  some  network [...]

  • Página 40

    Scenario 1: Intelligent Wired Access Edge 3-2 Use Scenarios within  the  same  Quarantine  VLAN  because  the  authorization  point  is  usually  implemented  at  the  exit  point  of  the  VLAN  via  Access  Control  Lists  (ACL s). Policy-Enabled Edge The  fol lowing  figu[...]

  • Página 41

    Scenario 1: Intelligent Wired Access Edge Enterasys NAC Design Guide 3-3 RFC 3580 Cap able Edge In  this  figure  the  NAC  Gatew ay  and  the  other  Enterasys  NAC  components  provide  network  access  control  for  a  network  with  third ‐ party  switches  that  support [...]

  • Página 42

    Scenario 1: Intelligent Wired Access Edge 3-4 Use Scenarios Scenario 1 Implementation In  the  intelligent  wi red  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects  to  th[...]

  • Página 43

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-5 intellig ent  edge  on  the  network.  The  Mat rix  N ‐ series  switch  is  capable  of  authenticating  and  authorizing  multiple  devices  connected  to  a  single  port  for  a  vari e t y  of[...]

  • Página 44

    Scenario 2: Intelligent Wireless Access Edge 3-6 Use Scenarios Figure 3-3 Intelligent Wirele ss Access Edge - Thin APs with W ireless Switch 1 4 3 2 Wireless Access Point 5 3 Enterasys NAC Manager Intelligent Wireless Controller (RFC 3850-compliant) NAC Gateway (out- of-band appliance) Assessment Server Authentication Server (optionally integrated [...]

  • Página 45

    Scenario 2: Intelligent Wireless Access Edge Enterasys NAC Design Guide 3-7 Thick Wireless Edge In  a  thick  wireless  deployment,  access  points  forward  wirele ss  end ‐ system  traffic  directly  onto  the  wired  infrastructure  without  the  use  of  a  wireless  switch. ?[...]

  • Página 46

    Scenario 2: Intelligent Wireless Access Edge 3-8 Use Scenarios Scenario 2 Implementation In  the  intelligent  wireless  access  edge  use  scen ario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  conne[...]

  • Página 47

    Scenario 3: Non-intelligent Access Edge (Wired and Wireless) Enterasys NAC Design Guide 3-9 It  is  important  to  note  that  if  the  wireless  edge  of  the  network  is  non ‐ i ntelligent  and  not  capable  of  authenticating  and  authorizing  wireless  end ‐ systems, ?[...]

  • Página 48

    Scenario 3: Non-intelligent Access Edge ( Wired and Wireless) 3-10 Use Scenarios Figure 3-5 Non-intelligent Access Edge (W ired and Wireless) 2 3 3 3 4 5 1 3 Enterasys NAC Manager NAC Controller (inline appliance) Assessment Server Authentication Server (optionally integrated in NAC Controller) Role= Quarantine Layer 3 Wired LAN Role= Quarantine Ro[...]

  • Página 49

    Scenario 4: VPN Remote Access Enterasys NAC Design Guide 3 -11 Scenario 3 Implementation In  the  non ‐ intelligent  access  edge  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner: 1.  Detection ‐ The  user ʹ s  end ‐ sy stem  connects ?[...]

  • Página 50

    Scenario 4: VPN Remote Access 3-12 Use Scenarios Figure 3-6 VPN Remote Access Scenario 4 Implementation In  the  VPN  remote  access  use  scenario,  the  five  NAC  functions  are  implemented  in  the  following  manner  with  the  deployment  of  the  NAC  Controller  for ?[...]

  • Página 51

    Summary Enterasys NAC Design Guide 3 -13 5.  Remediation ‐  When  the  quarantined  end  user  opens  a  web  browser  to  any  web  site,  its  traffic  is  dynamically  redirect ed  to  a  Remediation  web  page  that  describes  the  compliance  violation[...]

  • Página 52

    Summary 3-14 Use Scenarios Scenario 4: VPN remote access Summary: VPN concentrators act as a termination point for remote access VPN tunn els into the enterprise network. Appliance Requirement: NAC Contr oller Inline net work access control is implem ented by deploying the NAC Controller appliance to locally authorize connecting end-systems. T able[...]

  • Página 53

    Enterasys NAC Design Guide 4-1 4 Design Planning This  chapter  descri bes  the  steps  yo u  should  take  as  yo u  begin  planning  yo ur  NAC  deployment.  The  first  step  is  to  identify  the  deployment  model  that  best  meets  you r  business  objecti[...]

  • Página 54

    Survey the Network 4-2 Design Planning access  to  a  web  browser  to  safely  remediate  their  quarantined  end ‐ syst em  without  impacting  IT  operations. Once  a  deployment  model  is  se lected,  the  current  network  infrastructure  must  be  examined  to[...]

  • Página 55

    Survey the Network Enterasys NAC Design Guide 4-3 The  network  shown  in  Figure 4 ‐ 1  below ,  illustrates  the  following  three  examples  of  how  the  intellig ent  edge  can  be  implemented  in  a  networ k. • Policy ‐ enabled  Enterasys  devices  at  the  [...]

  • Página 56

    Survey the Network 4-4 Design Planning For  the  inline  implementation  of  the  Enterasys  NAC  solution,  the  NAC  Controller  authenticates  and  authorizes  end ‐ systems  locally  on  the  appliance,  and  does  not  rely  on  the  capabilities  of  downstr[...]

  • Página 57

    Survey the Network Enterasys NAC Design Guide 4-5 to  locally  authorize  all  MAC  authentication  reque sts  for  connecting  end ‐ systems,  thereby  not  requiring  a  li st  of  known  MAC  addre sses.  In  fact,  Enterasys  NAC  can  be  configur ed  in  a  [...]

  • Página 58

    Survey the Network 4-6 Design Planning Similar  to  802.1X,  web ‐ based  authentication  requires  the  input  of  credentials  and  is  normally  use d  on  user ‐ centric  end ‐ systems  that  hav e  a  concept  of  an  associated  user ,  such  as  a  PC. [...]

  • Página 59

    Survey the Network Enterasys NAC Design Guide 4-7 system  at  a  time,  then  it  is  sugg ested  that  MAC  locking  (also  known  as  Po r t  Secu rity)  be  enabled  on  the  edge  switches  to  restrict  the  number  of  connecting  devi ces.  If  multiple[...]

  • Página 60

    Survey the Network 4-8 Design Planning authenticated  to  the  netw ork  and  interact  with  Enter asys  NAC  for  authenticati on,  assessment,  authorization,  and  remediation.  Note  how ever ,  that  this  configuration  may  not  be  possible  if  trusted  users ?[...]

  • Página 61

    Survey the Network Enterasys NAC Design Guide 4-9 If  the  network  infrastructure  does  not  contain  intelligent  devices  at  the  edg e  or  distributi on  layer ,  then  inline  NAC  using  the  NAC  Controller  as  the  authorization  point  for  connecting  [...]

  • Página 62

    Survey the Network 4-10 Design Planning this  case,  the  thick  AP  deployment  falls  into  the  category  of  non ‐ intelligent  ed ge  devices  with  the  same  NAC  implementations  as  a  non ‐ intelligent  wired  edge.  These  non ‐ intelligent  APs  must [...]

  • Página 63

    Identify Inline or Out-of-band NAC Dep loyment Enterasys NAC Design Guide 4 -11 Remote Access VPN In  many  enterprise  environments,  a  VPN  concentrator  located  at  the  main  site  connects  to  the  Internet  to  provide  VPN  access  to  remote  users.  In  this  sce[...]

  • Página 64

    Summary 4-12 Design Planning server .  In  addi tion,  NAC  can  also  be  configured  to  locally  authorize  MA C  authentication  requests. 3. Identify  the  strategic  point  in  the  network  where  end ‐ system  authorization  should  be  implemented.  The  mos[...]

  • Página 65

    Enterasys NAC Design Guide 5-1 5 Design Procedures This  chapter  descri bes  the  design  procedures  for  Enterasys  NAC  deployment  on  an  ente rprise  network.  The  first  section  discusses  procedures  for  both  out ‐ of ‐ band  and  inline  NAC  deployments. ?[...]

  • Página 66

    Procedures for Out-of-Band and Inline NAC 5-2 Design Procedures Po l i c y  Manager  is  not  re quired  for  out ‐ of ‐ band  NAC  that  utilizes  RFC  3580 ‐ compliant  switches  (Enterasys  and  third ‐ party  switches).  In  this  case,  a  VLAN  is  specified  in ?[...]

  • Página 67

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-3 Figure 5-1 Se curity Domain NAC Configurations Each  Security  Domain  has  a  default  “NAC  configuration”  that  defines  the  authentication,  assessment,  and  authorization  parameters  for  all  end ‐ systems ?[...]

  • Página 68

    Procedures for Out-of-Band and Inline NAC 5-4 Design Procedures Figure 5-2 NAC Configuration Authentication The  Authenticati on  settings  define  how  RADIUS  requests  are  handled  for  au thenticating  end ‐ systems  (this  does  not  apply  to  Layer  3  NAC  Controllers.)  This[...]

  • Página 69

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-5 •H o w  health  results  are  processed. When  an  assessment  is  performed  on  an  end ‐ syste m,  a  “health  result”  is  generated.  For  each  health  result,  there  may  be  sev eral  ?[...]

  • Página 70

    Procedures for Out-of-Band and Inline NAC 5-6 Design Procedures The  following  figure  shows  the  NAC  Manager  window  used  to  create  or  edit  a  NAC  Configuration  and  defi ne  its  authentication,  assessment,  and  a uthorization  attributes. Figure 5-3 NAC Configurati[...]

  • Página 71

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-7 The  following  table  provides  examples  of  var i o u s  network  scenarios  that  should  be  considered  when  identifyi ng  the  number  and  configuration  of  Sec urity  Domains  in  your  NAC  [...]

  • Página 72

    Procedures for Out-of-Band and Inline NAC 5-8 Design Procedures Area of the network that provides access to a group of users or devices that pose a potentiall y high risk to the security or stability of the network. • Switches that provide access to guest users or contractors on a corporate network. These users are usually not directly unde r the[...]

  • Página 73

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5-9 Area of the network that is configured to allow access only to specific end-systems or users. • Switches that provide access to only pre-configured end-systems and users in highly controlled environments, such as industrial automation networks. For the NAC Gateway , reject a[...]

  • Página 74

    Procedures for Out-of-Band and Inline NAC 5-10 Design Procedures The  following  table  provides  network  scenarios  from  an  as sessment  standpoint  that  should  be  taken  into  account  when  identifying  the  number  and  configuration  of  Security  Domains. T able 5-2[...]

  • Página 75

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -11 Area of the network, or a group of end-systems or users, that require assessment with immediate network access. • Switches that provide network acce ss to mission critical servers, mandating uninterrupted network con nectivity while still implementing assessment. • Switc[...]

  • Página 76

    Procedures for Out-of-Band and Inline NAC 5-12 Design Procedures 3. Identify Required MAC and User Overrides MAC  and  user  overr ides  are  used  to  handle  end ‐ syste ms  that  require  a  different  set  of  authentication,  assessment,  and  authorization  parameters  from  the[...]

  • Página 77

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -13 The  following  figure  display s  the  windows  used  for  MAC  and  user  override  configura tion  in  NAC  Manager .  Notice  that  either  an  existing  NAC  Config uration  can  be  used  or [...]

  • Página 78

    Procedures for Out-of-Band and Inline NAC 5-14 Design Procedures The  following  table  describes  scenarios  where  a  MAC  ov erride  may  be  configured  for  a  particular  end ‐ system. T able 5-3 MAC Override Configuratio n Guidelines Network Scenario Examples Security Domain Config uration A dev[...]

  • Página 79

    Procedures for Out-of-Band and Inline NAC Enterasys NAC Design Guide 5 -15 A device or class of devices needs to be restricted network access (“blacklisted”) in a particular Security Domain or in all Security Domains. Denying access or quarantining the MAC addresses of laptops used b y guests or contractors in those areas of the network designa[...]

  • Página 80

    Procedures for Out-of-Band and Inline NAC 5-16 Design Procedures User Overrides A  user  ov erride  lets  you  create  a  configuration  for  a  specific  end  user ,  based  on  the  user  name.  For  example,  you  could  create  a  user  override  that  gives  a [...]

  • Página 81

    Assessment Design Procedures Enterasys NAC Design Guide 5 -17 Manager  will  not  match  this  end ‐ system  and  the  end ‐ sy stem  is  assigned  the  Security  Domain’ s  default  NAC  config uration.  In  addition,  the  Layer  3  NAC  Controller  is  not  able [...]

  • Página 82

    Assessment Design Procedures 5-18 Design Procedures 2. Determine Assessm ent Server Location When  determining  the  location  of  the  assessme nt  servers  on  th e  network,  the  following  factors  should  be  considered: •T h e  type  of  assessment:  agent ‐ less  or  agen[...]

  • Página 83

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -19 configuration  if  the  security  vul nerability  is  considered  a  risk  for  the  organization.  For  more  information  on  Nessus,  ref er  to  http://nessus.org/ . Out-of-Band NAC Design Procedures The  following  [...]

  • Página 84

    Out-of-Band NAC Design Procedures 5-20 Design Procedures 2. Determine the Number of NAC Gateways The  number  of  NAC  Gatew ays  to  be  depl oyed  on  the  netw ork  is  a  function  of  the  following  parameters: •T h e  number  of  Security  Domains  configured  on  th e[...]

  • Página 85

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -21 Figure 5-5 NAC Gateway Redund ancy It  is  important  that  the  secondary  NAC  Gatew ay  does  not  exceed  maximum  capacity  if  the  primary  NAC  Gatew ay  fails  on  the  network.  For  example,  let’ s[...]

  • Página 86

    Out-of-Band NAC Design Procedures 5-22 Design Procedures primary  NAC  Gatew ay ,  the  transition  to  the  secondary  NAC  Gateway  wi ll  not  exceed  maximum  capacity .  To  support  redundancy  within  a  Secu rity  Domain  for  either  approach,  one  addi tional ?[...]

  • Página 87

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -23 It  is  important  to  not e  that  only  the  NAC  Gateways  that  are  configured  with  remediation  and  registration  functionality  need  to  be  positioned  in  such  a  manner .  All  other  [...]

  • Página 88

    Out-of-Band NAC Design Procedures 5-24 Design Procedures 6. VLAN Configuration This  step  is  for  NA C  deployments  tha t  use  RFC ‐ 3580 ‐ compliant  switches  in  the  intelligent  edge  of  the  network  to  impl ement  dynamic  VLAN  assignment  of  connecting  devi[...]

  • Página 89

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -25 previously  specified  in  the  NAC  configuration  must  be  def ined  in  NetSight  Pol i c y  Manager  to  ensure  the  consistent  allocation  of  network  resources  to  co nnecting  end ‐ systems. Failsafe [...]

  • Página 90

    Out-of-Band NAC Design Procedures 5-26 Design Procedures Figure 5-6 Policy Role Configuration in NetSig ht Policy Manager Assessment Policy The  Assessment  Pol ic y  may  be  used  to  temporarily  allocate  a  set  of  network  resources  to  end ‐ systems  while  they  are  being  ass[...]

  • Página 91

    Out-of-Band NAC Design Procedures Enterasys NAC Design Guide 5 -27 Figure 5-7 Service for the Assessing Role Note  that  it  is  not  mandatory  to  assign  the  Assessment  Pol i cy  to  a  connecting  end ‐ system  while  it  is  being  assessed.  NAC  can  be  configured  [...]

  • Página 92

    Inline NAC Design Procedures 5-28 Design Procedures Figure 5-8 Service for the Quarantine Role Furthermore,  the  Quarantine  Po l i c y  and  other  network  infrastructure  devices  must  be  configured  to  implement  HTTP  traffic  redirection  for  quaranti ned  end ‐ systems  to ?[...]

  • Página 93

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -29 Howeve r ,  the  closer  the  NAC  Controller  is  placed  to  the  edge  of  the  network,  the  more  NAC  Controllers  are  required  on  the  netw ork,  increasing  NAC  deployment  cost  and  complex[...]

  • Página 94

    Inline NAC Design Procedures 5-30 Design Procedures 2. Determine the Numb er of NAC Controllers The  number  of  NAC  Controllers  to  be  deploy ed  on  the  network  is  a  function  of  the  following  parameters: •T h e  network  topology . Because  the  NAC  Controller  is [...]

  • Página 95

    Inline NAC Design Procedures Enterasys NAC Design Guide 5 -31 Figure 5-9 Layer 2 NAC Controller Redundancy For  a  Layer  3  NAC  Controller ,  redundancy  is  achieved  by  implementing  redundant  Layer  3  NAC  Controllers  on  adjacent,  but  separate  networks  as  shown  in [...]

  • Página 96

    Inline NAC Design Procedures 5-32 Design Procedures 3. Identify Backend RADIUS Server Interaction Layer  2  NAC  Controllers  detect  downs tream  end ‐ systems  via  authentication:  MAC,  web ‐ based,  or  802.1X.  If  we b ‐ based  or  802.1X  authenti cation  is  implemented,  th[...]

  • Página 97

    Additional Considerations Enterasys NAC Design Guide 5 -33 assessment  server s  to  reach  the  end ‐ system  while  it  is  being  assessed,  regardless  of  whether  the  Assessing  policy ,  Enterprise  User  policy ,  or  any  other  policy  ro le  is  utilized [...]

  • Página 98

    Additional Considerations 5-34 Design Procedures[...]