Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

NAC Solution Components

Enterasys NAC Design Guide 1-5

EnterasysofferstwotypesofNACappliances:theNACGatewayapplianceimplementsout‐of‐

bandnetworkaccesscontrol,andtheNACControllerapplianceimplementsinlinenetworkaccess

control.ThefollowingsectiondescribeshoweachNACapplianceimplementsnetworkaccess

controlforconnectingend‐systems.

NAC Gateway Appliance

TheNACGatewayisutilizedtoimplementout‐of‐bandnetworkaccesscontrolforconnecting

end‐systems.WiththeNACGateway,connectingend‐systemsaredetectedonthenetwork

throughtheirRADIUSauthenticationinterchange.Basedontheassessmentandauthentication

resultsforaconnectingdevice,RADIUSattributesareaddedormodified

duringthe

authenticationprocesstoauthorizetheend‐systemontheauthenticatingedgeswitch.Therefore,

theNACGatewaycanbepositionedanywhereinthenetworktopologywiththeonly

requirementbeingthatIPconnectivitybetweentheauthenticatingedgeswitchesandtheNAC

Gatewaysisoperational.

TheNACGatewayrequirestheimplementation

ofintelligentwiredorwirelessedge

infrastructuredevicesastheauthorizat ion pointforconnectingend‐systems.Intelligentedge

devicesarecapableofsupportingauthenticationandauthorizationbasedontheauthentication

messageinterchange.Dependingontheappliancemodel,theNACGatewayprovideseither

integratedassessmentserverfunctionalityand/ortheabilityto

connecttoexternalassessment

services,todeterminethesecuritypostureofend‐systemsconnectingtothenetwork.

ThreeNACGatewaymodelsareavailabletomeettheneedsofdifferent‐sizedimplementa tions

andassessmentserverrequirements.

• SNS‐TAG‐ITAsupportsupto3000concurrentend‐systemsandprovidesintegrated

assessmentservers.(A

separatelicenseisrequiredforintegratedassessment.)Thisintegrated

NACGatewaysupportsbothagent‐less(network‐based)andagent‐basedassessment.In

additiontohavingthecapabilitytorunasanintegratedappliance,italsohasthecapabilityto

runasanassessmentserver(scanner)only.TheSNS‐TAG‐ITAalso

supportstheabilityto

connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.

• SNS‐TAG‐HPA supportsupto3000concurrentend‐systemsandsupportstheabilityto

connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.

• SNS‐TAG‐LPAsupportsupto2000concurrentend‐

systemsandsupportstheabilityto

connecttomultipleexternalassessmentserversincludingNessu sandLockdownEnforcer.

NAC Controller Appliance

TheNACControllerisutilizedtoimplementinlinenetworkaccesscontrolforconnectingend‐

systems.WiththeNACController,connectingend‐systemsaredetectedthroughthereceiptofa

packetfromanewend‐system.Basedontheassessmentandauthenticationresultsfora

connectingdevice,theauthorizationoftheend

‐systemisimplementedlocallyontheNAC

Controllerappliancebyassigningasetoftrafficforwardingrules,referredtoas“policy,”toall

trafficsourcedbytheend‐system.TheNACControllerapplianceispositionedstrategicallyinthe

networktopologywithintheenduserLANsegmentoracrossroutedboundaries,

inlinewithdata

trafficsourcedfromend‐systems.Sincethisapplianceexistsinthedata pathofnetworked

devices,ithasbeendesignedtoachievemulti‐gigabitthroughputwithhardware‐basedtraffic

forwarding,byleveragingcustomizedEnterasys‐builtApplicationSpecificIntegratedCircuits

(ASICs).

TheNACControllerisapplicabletoscenarioswhere

non‐intelligentwiredorwirelessedge

infrastructuredevicesaredeployedinthenetwork.Non‐intelligentedgedevicesarenotcapable

previous next