Model 4: End-System Authorization with Assessment and Remediation
2-14 NAC Deployment Models
Inline NAC
ForinlineEnterasysNACdeploymentsutilizingtheLayer2orLayer3NACController,theNAC
functionsareimplementedinthefollowingway:
Detection‐AsdescribedinModel2.
Authentication‐AsdescribedinModel2.
Assessment‐AsdescribedinModel3.
Authorization‐AsdescribedinModel3.
Remediation‐Whenanend‐systemis
quarantinedbytheNACController,allwebtrafficsourced
fromthequarantinedend‐systemisredirectedtothelocalRemediationWebServicerunningon
theNACController.TheNACControllerthenreturnstheremediationwebpagetothe
noncompliantend‐system.Noadditionalconfigurationsarerequiredonthenetworkbecause
the
NACControllerexistsinlinewiththetrafficfromquarantinedend‐systems.
Features and Value
InadditiontothefeaturesandvaluesfoundinModel1,Model2,andModel3,thefollowingare
keypiecesoffunctionalityandvaluepropositionssupportedbyModel4,End‐System
AuthorizationwithAssessmentandRemediation:
Self-Service Remediation
IfauserʹsPCissuddenlyquarantinedandtheuserisnotabletoaccesstheexpectedtypesof
services,itisnotonlyimportantthatinformationofthiseventisavailabletoIT,butalsothat
theuserisdirectlynotifiedofthecauseofservicedisruption.Ifthey
arenotnotifiedaboutthe
quarantineaction,theuserwilllikelybelievethatthereisanetworkcommunicationproblem.
ImplementingaNACsolutionthatcanquarantineuserswithoutnotification,may
inadvertentlyincreasecallstotheIThelpdeskfromuserswhoarenotabletoaccessneeded
services.
WiththeEnterasys
NACsolution,network‐basednotificationandremediationareintegrated.
Onceanend‐systemisputintoaquarantinestate,notificationisachievedbyredirectingthe
non‐compliantend‐systemʹswebtraffictoaremediationwebpage.Thewebpagecanbe
maintainedbytheITorganizationandcaninclude
detailsaboutwhytheend‐systemhasbeen
quarantinedandhowausercanfixissuesthatarecausingthenon‐compliantstate.Thelayout
andinformationpresentedonthiswebpageisfullycustomizableincludingchangingheader
andfooterinformation,alteringinformationpresentedtotheuser,andcontrollingtheamount
oftimeorthenumberoftimesanend‐systemisallowedtoinitiatereassessmentafter
attemptingremediation.
Althoughtheend‐systemmaybeabletoaccessthenetworkandtheremediationwebpage,
communicationisprovisionedthroughasetofpolicyrulestoensurethatthereisnodanger
to
therestofthe network.Inorderforaquarantinedusertoregainaccesstonetworkservices,
theymustfirstremediatetheproblemthatactuallycausedthequarantinetooccurinthefirst
place.However,remediationdoesnotalwayshavetobemadeavailabletotheuser.Consider
thesituation
whereauserisactingmaliciouslyandthreateningthenetworkanditsservices.
Remediationmaynotbedesirable,andinsteadapersistentquarantinepolicymaybeenforced
tokeeptheuserfromcausinganyharm.
Thekeytothisprocessistheabilityofthenetworktoenforceausagepolicy
thatcompletely
protectsallcriticalresourcesandotherusers,butallowsaccesstokeyremediationassetssuch
aswebserverswithsecuritypatches.TheEnterasysNACsolutionallowsaquarantinepolicy
tobeestablishedwithaveryspecificsetofpolicyrulesthatcanfilterandcontrolnetwork