Survey the Network
4-8 Design Planning
authenticatedtothenetworkandinteractwithEnterasysNACforauthentication,assessment,
authorization,andremediation.Notehowever,thatthisconfigurationmaynotbepossibleif
trustedusersarealsobeingMACauthenticatedtothenetworkinthesameSecurityDomain.
Inthiscase,MACoruseroverrideswouldneedtobe
configuredforthetrustedusers,andthe
defaultNACconfigurationoftheSecurityDomainwouldspecifytheNACimplementation
forguestusers.
•Ifguestaccessisimplementedwithweb‐basedauthenticationusingtheguestnetworking
featureonEnterasyspolicy‐capableswitches(supplyingdefaultcredentialsintheweblogin
pageforguest
users),theguestnetworkingfeaturemustbeconfiguredtosendthedefault
credentialstoabackendRADIUS serverandnotlocallyauthenticatethem.Thisisbecausein
theout‐of‐bandNACconfiguration,theNACGatewaymustreceivetheauthentication
attemptviaRADIUSinordertodetecttheconnectingend‐
systems.ARADIUSserverwiththe
guestnetworkingcredentialsmustbedeployedonthenetworksotheNACGatewaycan
proxytheRADIUSrequeststotheupstreamRADIUSserver.IfaRADIUSFilter‐IDorVLAN
Tunnelattributeisnotconfiguredfortheguestnetworkingcredentialsontheupstream
RADIUSserver,
EnterasysNACcanbeconfiguredtoincludeaFilter‐IDorVLANTunnel
attributeintheRADIUSAccess‐Acceptpacketreturnedtotheswitchbyimplementingauser
overridefortheguestnetworkingusername.
3. Identify the Strategic Point for End-System Authorization
Inthisstep,youwillidentifythestrategicpointinthenetworkwhereend‐systemauthorization
shouldbeimplemented.
Themostsecureplaceforimplementingauthorizationisdirectlyatthepointofconnectionatthe
edgeofthenetwork,assupportedbyEnterasyspolicy‐capableswitches.Inthisconfiguration,the
implementation
ofout‐of‐bandNACusingtheNACGatewayapplianceleveragespolicyon
Enterasysswitchestosecurelyauthorizeconnectingend‐systems.
RFC3580‐capableswitchescanbeusedforauthenticationandauthorizationbyassigningend‐
systemstoparticularVLANsbasedontheauthenticationandassessmentresults.However,thisis
not
assecureasusingEnterasyspolicy‐capableswitches,forthetwofollowingreasons:
•VLANsauthorizeend‐systemsbyplacingthemintothesamecontainer,withthetraffic
enforcementpointimplementedattheingress/egresspointtotheVLANontheVLANʹs
routedinterface.Be causeauthorizationisnotimplementedbetweenend‐systems
withinthe
sameVLAN,anend‐system inaVLANisopentolaunchattacksorbeattackedbyother
deviceswithinthesameVLAN.Forexample,ifend‐systemAwithvirusXandend‐systemB
withvirusYarequarantinedintothesameVLAN,thenend‐systemA
andBmaybecome
infectedwithvirusXandY.Enterasyspolicyuniquelyauthorizesconnectingend‐systems
independentoftheirVLANassignmentbypermitting,denying,andprioritizingtrafficon
ingresstothenetworkattheportlevel.
•BecauseRFC3580‐capableswitchesimplementthetrafficenforcementpointforaVLANat
theVLAN’sroutedinterface,malicioustrafficisallowedontothenetworkandmayconsume
bandwidth,memory,andCPUcyclesoninfrastructuredevicesbeforebeingdiscarded
possiblyseveralhopsdeepwithinthenetwork.Thisisespeciallydetrimentaltotheoperation
ofthenetworkifasingleinter‐switchlinkconnectingthe
accesslayertodistributionlayeris
usedtotransmittrafficfromboththequarantineVLANandtheproductionVLAN(suchasan
802.1QVLANtrunkedlink).Trafficfromquarantinedend‐systems(forexample,worms
scanningforvulnerablehosts)canconsumetheentirebandwidthavailableontheinter‐switch
linkandaffect
networkconnectivityforend‐systemsontheproductionVLAN.Incontrast,
sincethetrafficenforcementpointforEnterasyspolicyisattheportofconnection,malicious
trafficneveringressesthenetworktocauseanydisruptiontonetworkconnectivity.