Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Model 4: End-System Authorization with Assessment and Remediation

2-14 NAC Deployment Models

Inline NAC

ForinlineEnterasysNACdeploymentsutilizingtheLayer2orLayer3NACController,theNAC

functionsareimplementedinthefollowingway:

Detection‐AsdescribedinModel2.

Authentication‐AsdescribedinModel2.

Assessment‐AsdescribedinModel3.

Authorization‐AsdescribedinModel3.

Remediation‐Whenanend‐systemis

quarantinedbytheNACController,allwebtrafficsourced

fromthequarantinedend‐systemisredirectedtothelocalRemediationWebServicerunningon

theNACController.TheNACControllerthenreturnstheremediationwebpagetothe

noncompliantend‐system.Noadditionalconfigurationsarerequiredonthenetworkbecause

the

NACControllerexistsinlinewiththetrafficfromquarantinedend‐systems.

Features and Value

InadditiontothefeaturesandvaluesfoundinModel1,Model2,andModel3,thefollowingare

keypiecesoffunctionalityandvaluepropositionssupportedbyModel4,End‐System

AuthorizationwithAssessmentandRemediation:

Self-Service Remediation

IfauserʹsPCissuddenlyquarantinedandtheuserisnotabletoaccesstheexpectedtypesof

services,itisnotonlyimportantthatinformationofthiseventisavailabletoIT,butalsothat

theuserisdirectlynotifiedofthecauseofservicedisruption.Ifthey

arenotnotifiedaboutthe

quarantineaction,theuserwilllikelybelievethatthereisanetworkcommunicationproblem.

ImplementingaNACsolutionthatcanquarantineuserswithoutnotification,may

inadvertentlyincreasecallstotheIThelpdeskfromuserswhoarenotabletoaccessneeded

services.

WiththeEnterasys

NACsolution,network‐basednotificationandremediationareintegrated.

Onceanend‐systemisputintoaquarantinestate,notificationisachievedbyredirectingthe

non‐compliantend‐systemʹswebtraffictoaremediationwebpage.Thewebpagecanbe

maintainedbytheITorganizationandcaninclude

detailsaboutwhytheend‐systemhasbeen

quarantinedandhowausercanfixissuesthatarecausingthenon‐compliantstate.Thelayout

andinformationpresentedonthiswebpageisfullycustomizableincludingchangingheader

andfooterinformation,alteringinformationpresentedtotheuser,andcontrollingtheamount



oftimeorthenumberoftimesanend‐systemisallowedtoinitiatereassessmentafter

attemptingremediation.

Althoughtheend‐systemmaybeabletoaccessthenetworkandtheremediationwebpage,

communicationisprovisionedthroughasetofpolicyrulestoensurethatthereisnodanger

to

therestofthe network.Inorderforaquarantinedusertoregainaccesstonetworkservices,

theymustfirstremediatetheproblemthatactuallycausedthequarantinetooccurinthefirst

place.However,remediationdoesnotalwayshavetobemadeavailabletotheuser.Consider

thesituation

whereauserisactingmaliciouslyandthreateningthenetworkanditsservices.

Remediationmaynotbedesirable,andinsteadapersistentquarantinepolicymaybeenforced

tokeeptheuserfromcausinganyharm.

Thekeytothisprocessistheabilityofthenetworktoenforceausagepolicy

thatcompletely

protectsallcriticalresourcesandotherusers,butallowsaccesstokeyremediationassetssuch

aswebserverswithsecuritypatches.TheEnterasysNACsolutionallowsaquarantinepolicy

tobeestablishedwithaveryspecificsetofpolicyrulesthatcanfilterandcontrolnetwork

previous next