Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 3: End-System Authorization with Assessment

Enterasys NAC Design Guide 2-11

•Applicationconfiguration

TheNACsolutioncandeterminewhichservicesandapplicationsareinstalledandenabledon

theend‐system.Certainapplicationsshouldberemovedfromthedevicepriortoestablishing

connectivitybecausetheymayhaveanegativeimpactontheoperationoftheend‐system,

distracttheenduserfrombusiness

functions,orbeusedtolaunchattacksonthenetwork.

Furthermore,particularservicesmaybeoutdatedandvulnerabletoattack.Theseservices

shouldeitherbeupdatedordisabledtominimizetherisktoconnectingend‐systemsonthe

network.TheNACsolutionfacilitatesthisreconfigurationofapplicationsonanend ‐system



priortonetworkconnection,toensuremaximumsecurityandproductivitywhenthede vice

connects.

Diverse Security Posture Compliance Verification

InorderforaNACsolutiontobeeffective,inclusionofallend‐systemsinthenetwork

environmentmustbeaddressedwhendetecting,authenticating,assessing,andauthorizing

devices.TheEnterasysNACsolutionsupportsadiverseend‐systemenvironment,and

providesintegratedsecurityandmanagementregardlessofwhattypeofdevicesare



connectedtothebusinessnetwork.

Enterasysleveragestwoassessmentmodels:agent‐basedandagent‐less.Anagent‐based

assessmentandanagent‐lessassessmentarebothcriticaltoensuringthatanyend‐systemof

anytypecanbeincludedintheNACprocess.Thereareseveralreasonswhybothassessment

modelsarecriticaltoacompleteNACsolution.Securityagentsloadedontomanagedend‐

systemsofferextensiveassessmentcapabilities.Ifanagentisrequired,anewend‐system

connectingtothenetworkthathasnotdownloadedtheagentcanbequarantinedand

redirectedtoawebpage.Thewebpageprovides

informationonhowtheagentcanbe

downloadedandinstalledontheend‐systemtobeginitsassessment.

However,therearetypesofend‐systemsinatypicalnetworkthatmaynotbeabletoloada

softwareagent,suchasIPphones,securi tycameras,orprinters.Ifasecurity

agentisnot

availableforadevice(ortheoperatingsystemsrunningthedevice),anagent‐lessapproachis

theonlywaytoassesstheend‐system.Inaddition,considerend‐systemsthatcouldnormally

holdanagent,butarenotunderthecontroloftheITorganization.Inthecase

ofguest

networkingthatprovidessupportforcontractors,vendors,andthepublic,thedesiremaybe

tosupportminimalorspecificnetworkservices,butstillensurethesafetyandsecurityofthe

networkandthepeopleusingit.Itisnotenoughtosimplyuseanetworkusagepolicyto

restricttheservicesaguestuserisallowedtoaccess.Becausetheguestisleveragingthesame

networkinfrastructureasthecriticalbusinessusers,itisimportantthatproactivesecurity

measuresareappliedtotheguestjustastheyaretoamanageduser.Thisisanothercase

whereanagent

‐lessapproachtoend‐systemassessmentcanbecriticaltoensuringa

comprehensiveNACstrategy.

Boththeagent‐basedandtheagent‐lessassessmentmodelscanbedeployedandintegrated

togetherintheEnterasysNACsolution.

previous next