Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 2: End-System Authorization

Enterasys NAC Design Guide 2-5

TheNACControllermayeitherdenytheend‐systemaccesstothenetworkorassigntheend‐

systemtoaparticularsetofnetworkresourcesbyspecifyingaparticularpolicy.

Features and Value

InadditiontothefeaturesandvaluesfoundinModel1,thefollowingarekeypiecesof

functionalityandvaluepropositionssupportedbyModel2,End‐SystemAuthorization:

Location-Based Authorization

Inadditiontoprovidingvisibilityintowho,what,when,andwheredevicesandusersare

connectingtothenetwork,thisdeploymentmodelallowsIToperationstocontrolaccessto

thenetworkwithdifferentlevelsofauthorizationbasedontheseparameters.Forlocation‐

basedauthorization,theEnterasysNACsolutioncanassigna

levelofaccesstoaconnecting

enduserordevicebasedonwhichareaofthenetworktheend‐systemisconnected,through

theconfigurationofSecurityDomains.Forexample,whenanengineerconnectstothe

networkfromacontrolledareaofthenetworksuchasthelab,ora

facultymemberconnectsto

thenetworkfromaphysicallysecured facultyoffice,theengineerandfacultymemberare

appropriatelyauthorizedtoaccesssensitiveinformationresidingoninternalservers.

However,ifthesameusersconnecttothenetworkfromanunsecuredareaofthenetwork

suchastheopenwirelessLANavailable

intheenterpriseʹslobbyorcampus,orinastudent

dormitory,thentheseend‐systemscanbeauthorizedwithadifferentlevelofnetworkaccess,

possiblyrestrictingcommunicationtotheinternalserversandotherresourcesonthenetwork.

Furthermore,theNACsolutioncanalsolockadevicetoa

specificswitchorswitchport,using

the“LockMAC”feature.Ifthedeviceismovedtoanyotherswitchportonthenetwork,it

willnotbeabletoconnect.Forexample,aprinteroraservercontainingsensitivedatamaybe

connectedtothenetworkataspecificlocation,such

asbehindafirewalloronaparticular

VLANforsecurityreasons.Physicallymovingtheconnectionofthesedevicestoanopenarea

ofthenetworkincreasestheriskofthesedevicesbeingattackedandcompromisedbecause

theywouldnolongerbeprotectedbythesecuritymechanismsthatwereput

inplaceonthe

network.The“LockMAC”featurecanbeusedtolimitthemobilityofspecificdevicesand

avoidmaliciousorunintentionalmisconfigurationsonthenetwork,therebyreducingrisk.

Device-Based Authorization

WiththisNACdeploymentmodel,end‐systemsareauthorizedwithaccesstoaspecificsetof

networkresourcesbasedontheend‐systemʹsMACaddress.Forinitialimplementation,the

EnterasysNACsolutionisconfiguredinamodewhereallMACaddressesofconnectingend‐

systemsarepermittedontothenetwork

anddynamicallylearned.TheEnterasysNAC

solutionisthenconfiguredtoallowonlyknownMACaddressesontothenetwork,assigning

eachend‐systemaparticularauthorizationlevel.AnynewMACaddressconnectingtothe

networkisassignedadifferentauthorizationlevel,suchasdeniedaccess,restrictedaccess,or

allowedaccess

iftheuserisabletoproperlyregistertheirdevicetothenetwork.

TheEnterasysNACsolutionisabletoauthorizespecificdevicesorclassesofdevices(ba sed

onMACaddressOUIprefix)withaccesstoaspecificsetofnetworkresourcesthroughthe

configurationofMACoverrides.Forexample,an

end‐systemthatisknowntobeinfected

withaworm,apubliclyaccessiblemachine,oramachinebelongingtoguestusermaybe

authorizedwitharestrictivesetofnetworkresourcesorcompletelydeniednetworkaccess,

regardlessofwhereandwhenthisdeviceconnects.Incontrast,anend‐systembelonging

to

theIToperationsgroupmaybepermittedunrestrictedaccesstonetworkresourcesfor

infrastructuretroubleshootingandmaintenancepurposes,regardlessofwhereandwhenthe

deviceconnectstothenetwork.Ifyouaddlocation‐basedauthorization(asdiscussedabove)

tothisexample,thenunrestrictedaccessforend‐systemsbelongingto

theIToperationsgroup

previous next