Model 3: End-System Authorization with Assessment
Enterasys NAC Design Guide 2-11
•Applicationconfiguration
TheNACsolutioncandeterminewhichservicesandapplicationsareinstalledandenabledon
theend‐system.Certainapplicationsshouldberemovedfromthedevicepriortoestablishing
connectivitybecausetheymayhaveanegativeimpactontheoperationoftheend‐system,
distracttheenduserfrombusiness
functions,orbeusedtolaunchattacksonthenetwork.
Furthermore,particularservicesmaybeoutdatedandvulnerabletoattack.Theseservices
shouldeitherbeupdatedordisabledtominimizetherisktoconnectingend‐systemsonthe
network.TheNACsolutionfacilitatesthisreconfigurationofapplicationsonanend ‐system
priortonetworkconnection,toensuremaximumsecurityandproductivitywhenthede vice
connects.
Diverse Security Posture Compliance Verification
InorderforaNACsolutiontobeeffective,inclusionofallend‐systemsinthenetwork
environmentmustbeaddressedwhendetecting,authenticating,assessing,andauthorizing
devices.TheEnterasysNACsolutionsupportsadiverseend‐systemenvironment,and
providesintegratedsecurityandmanagementregardlessofwhattypeofdevicesare
connectedtothebusinessnetwork.
Enterasysleveragestwoassessmentmodels:agent‐basedandagent‐less.Anagent‐based
assessmentandanagent‐lessassessmentarebothcriticaltoensuringthatanyend‐systemof
anytypecanbeincludedintheNACprocess.Thereareseveralreasonswhybothassessment
modelsarecriticaltoacompleteNACsolution.Securityagentsloadedontomanagedend‐
systemsofferextensiveassessmentcapabilities.Ifanagentisrequired,anewend‐system
connectingtothenetworkthathasnotdownloadedtheagentcanbequarantinedand
redirectedtoawebpage.Thewebpageprovides
informationonhowtheagentcanbe
downloadedandinstalledontheend‐systemtobeginitsassessment.
However,therearetypesofend‐systemsinatypicalnetworkthatmaynotbeabletoloada
softwareagent,suchasIPphones,securi tycameras,orprinters.Ifasecurity
agentisnot
availableforadevice(ortheoperatingsystemsrunningthedevice),anagent‐lessapproachis
theonlywaytoassesstheend‐system.Inaddition,considerend‐systemsthatcouldnormally
holdanagent,butarenotunderthecontroloftheITorganization.Inthecase
ofguest
networkingthatprovidessupportforcontractors,vendors,andthepublic,thedesiremaybe
tosupportminimalorspecificnetworkservices,butstillensurethesafetyandsecurityofthe
networkandthepeopleusingit.Itisnotenoughtosimplyuseanetworkusagepolicyto
restricttheservicesaguestuserisallowedtoaccess.Becausetheguestisleveragingthesame
networkinfrastructureasthecriticalbusinessusers,itisimportantthatproactivesecurity
measuresareappliedtotheguestjustastheyaretoamanageduser.Thisisanothercase
whereanagent
‐lessapproachtoend‐systemassessmentcanbecriticaltoensuringa
comprehensiveNACstrategy.
Boththeagent‐basedandtheagent‐lessassessmentmodelscanbedeployedandintegrated
togetherintheEnterasysNACsolution.