Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

NAC Solution Overview

1-2 Overview

Assessment

Determineifthedevicecomplieswithcorporatesecurityandconfigurationrequirements,suchas

operatingsystempatchrevisionlevelsandantivirussignaturedefinitions.Othersecurity

compliancerequirementsmightincludethephysicallocationofthedeviceandthetimeofdaythe

connectionattemptismade.

Authorization

Determinetheappropriatenetworkaccessfortheconnectingdevicebasedontheauthentication

and/orassessmentresults,andenforcethisauthorizationleveltotheend‐system.The

authorizationlevelcanbedeterminedbasedonthedeviceʹslocation,MACaddress,andsecurity

posture(asdeterminedbytheassessmentresults),inadditionto

theidentityoftheuser/device

validatedthroughauthentication.

Theend‐systemcanbeauthorizedfornetworkaccessusingdifferenttechniques,suchas

reconfiguringaccessedgeswitchesorleveragingaspecializedNACappliancedeployedinthe

transmissionpathofend‐systemdatatraffic.Inlineandout‐of‐bandNACimplementationsuse

differenttechniquesforauthorizingend‐systemsonthenetwork,eachwithuniqueadvantages

anddisadvantagesasdiscussedlaterinthischapter.

Remediation

Enableenduserstosafelyremediatetheirnon‐compliantend‐systemswithoutimpactingIT

operations.Withremediation,userscanbenotifiedwhentheirsystemisquarantinedfornetwork

securitypolicynon‐compliance,andtheycanbedirectedtoperformself‐serviceremediation

techniquesspecifictothe detectedcomplianceviolation.Notificationmethods

includeweb

redirectionviaacaptiveportal,emailnotification,pop‐upmessages,andmessengerservice

integration,amongothers.

Theremediationprocessincludesupdatingthedevicetomeetcorporatesecurityrequirements

(forexample,updatingoperatingsystempatchesandantivirussignatures)and reinitiatingthe

networkaccessprocess.Networkresourcescanbeautomaticallyreallocated

toend‐systemsthat

havesuccessfullyperformedtheremediationsteps,withouttheinterventionofIToperations.

Deployment Models

ThefivekeyNACfunctionsdescribedabovedonotneedtobeimplementedconcurrentlyina

NACdeployment.Forexample,tosupportMACregistrationfor guests andotherusersonthe

network,thedetection,authentication,andauthorizationfunctionalitiescanbeimplemented

withouttheassessmentfunctionality.ThisallowsanITdepartmentto

gainvisibilityintowhois

usingwhichdevicesonthenetworkwhileallowingonlyvaliduserstoenterthenetwork.

Asanotherexample,theassessmentfunctionalitycanbeaddedtothedetection,authentication,

andauthorizationofend‐systemswithouttheremediationfunctionality,allowingfortheauditing,

butnotquarantining,ofconnecting

end‐systems.Thisprovidesvisibilityintothesecurityposture

andconfigurationofconnectingend‐systemswithoutimpactingdevicenetworkconnectivity,and

canbeusedforauditingandsoftwareupdatepurposesbytheITdepartment.

ThefourNACdeploymentmodelsdescribedbelowbuildoneachotherbyimplementingsubsets

ofthe

fivekeyNACfunctions.EachmodelprovidesparticularaspectsofNACfunctionality,

supportingtherequirementsofdiverseenterpriseenvironments.Witheachsubsequentmodel,

theadditionalNACfunctionalitycanbeenabledwithouttheneedtoreplacepiecesofthe

EnterasysNACsolution.

previous next