Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

4-8 Design Planning

authenticatedtothenetworkandinteractwithEnterasysNACforauthentication,assessment,

authorization,andremediation.Notehowever,thatthisconfigurationmaynotbepossibleif

trustedusersarealsobeingMACauthenticatedtothenetworkinthesameSecurityDomain.

Inthiscase,MACoruseroverrideswouldneedtobe

configuredforthetrustedusers,andthe

defaultNACconfigurationoftheSecurityDomainwouldspecifytheNACimplementation

forguestusers.

•Ifguestaccessisimplementedwithweb‐basedauthenticationusingtheguestnetworking

featureonEnterasyspolicy‐capableswitches(supplyingdefaultcredentialsintheweblogin

pageforguest

users),theguestnetworkingfeaturemustbeconfiguredtosendthedefault

credentialstoabackendRADIUS serverandnotlocallyauthenticatethem.Thisisbecausein

theout‐of‐bandNACconfiguration,theNACGatewaymustreceivetheauthentication

attemptviaRADIUSinordertodetecttheconnectingend‐

systems.ARADIUSserverwiththe

guestnetworkingcredentialsmustbedeployedonthenetworksotheNACGatewaycan

proxytheRADIUSrequeststotheupstreamRADIUSserver.IfaRADIUSFilter‐IDorVLAN

Tunnelattributeisnotconfiguredfortheguestnetworkingcredentialsontheupstream

RADIUSserver,

EnterasysNACcanbeconfiguredtoincludeaFilter‐IDorVLANTunnel

attributeintheRADIUSAccess‐Acceptpacketreturnedtotheswitchbyimplementingauser

overridefortheguestnetworkingusername.

3. Identify the Strategic Point for End-System Authorization

Inthisstep,youwillidentifythestrategicpointinthenetworkwhereend‐systemauthorization

shouldbeimplemented.

Themostsecureplaceforimplementingauthorizationisdirectlyatthepointofconnectionatthe

edgeofthenetwork,assupportedbyEnterasyspolicy‐capableswitches.Inthisconfiguration,the

implementation

ofout‐of‐bandNACusingtheNACGatewayapplianceleveragespolicyon

Enterasysswitchestosecurelyauthorizeconnectingend‐systems.

RFC3580‐capableswitchescanbeusedforauthenticationandauthorizationbyassigningend‐

systemstoparticularVLANsbasedontheauthenticationandassessmentresults.However,thisis

not

assecureasusingEnterasyspolicy‐capableswitches,forthetwofollowingreasons:

•VLANsauthorizeend‐systemsbyplacingthemintothesamecontainer,withthetraffic

enforcementpointimplementedattheingress/egresspointtotheVLANontheVLANʹs

routedinterface.Be causeauthorizationisnotimplementedbetweenend‐systems

withinthe

sameVLAN,anend‐system inaVLANisopentolaunchattacksorbeattackedbyother

deviceswithinthesameVLAN.Forexample,ifend‐systemAwithvirusXandend‐systemB

withvirusYarequarantinedintothesameVLAN,thenend‐systemA

andBmaybecome

infectedwithvirusXandY.Enterasyspolicyuniquelyauthorizesconnectingend‐systems

independentoftheirVLANassignmentbypermitting,denying,andprioritizingtrafficon

ingresstothenetworkattheportlevel.

•BecauseRFC3580‐capableswitchesimplementthetrafficenforcementpointforaVLANat



theVLAN’sroutedinterface,malicioustrafficisallowedontothenetworkandmayconsume

bandwidth,memory,andCPUcyclesoninfrastructuredevicesbeforebeingdiscarded

possiblyseveralhopsdeepwithinthenetwork.Thisisespeciallydetrimentaltotheoperation

ofthenetworkifasingleinter‐switchlinkconnectingthe

accesslayertodistributionlayeris

usedtotransmittrafficfromboththequarantineVLANandtheproductionVLAN(suchasan

802.1QVLANtrunkedlink).Trafficfromquarantinedend‐systems(forexample,worms

scanningforvulnerablehosts)canconsumetheentirebandwidthavailableontheinter‐switch

linkandaffect

networkconnectivityforend‐systemsontheproductionVLAN.Incontrast,

sincethetrafficenforcementpointforEnterasyspolicyisattheportofconnection,malicious

trafficneveringressesthenetworktocauseanydisruptiontonetworkconnectivity.

previous next