Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Survey the Network

Enterasys NAC Design Guide 4-9

Ifthenetworkinfrastructuredoesnotcontainintelligentdevicesattheedgeordistributionlayer,

theninlineNACusingtheNACControllerastheauthorizationpointforconnectingend‐systems

mustbeimplemented.Thisisnotassecureasout‐of‐bandNACbecausetheauthorizationpoint

forend‐sy stemsis

locateddeeperintothenetworkattheNACController.WithinlineNAC,a

quarantinedend‐system,whilerestrictedfromnetworkaccesstoresourcesupstreamfromthe

NACController,isstillabletointeractopenlywithresourcesandassetsonthenetwork

downstreamfromtheNACController.However,anadvantageof

theNACControlleristhatit

providesnetworkaccesscontrolwithoutrequiringtheupgradeoftheaccesslayerordistribution

layerofthenetwork.

Furthermore,itisimportanttonotethattheNACControllerandNACGatewaycanbedeployed

concurrentlyinthenetworkforthesimultaneousimplementationofinlineand

out‐of‐bandNAC,

allcentrallymanagedfromtheNetSightNACManager.TheNACGatewaycanbeutilizedfor

areasofthenetworkwhereintelligentswitchesreside,whiletheNACControllercanbe

positionedinlineforsegmentsofthenetworkwherenon‐intelligentdevicesexist.

Ifthedeploymentofout‐of

‐bandNACisdesiredforanetworkwithnon‐intelligentaccesslayer

devices,thefollowingoptionsshouldbeconsidered:

• DistributionlayerinfrastructuredevicescanbestrategicallyupgradedtoEnterasysMatrixN‐

Seriesdevicesthatarecapableofindividuallyauthenticatinganduniquelyauthorizing

multipledevicesconnectedtoasingleport.Mostof

thesecuritybenefitsofout‐of‐bandNAC

usingEnterasyspolicycanbeobtainedbyimplementingauthorizationatthedistribution

layerinsteadofatthe portofconnectionintheaccesslayer.

• AccesslayerinfrastructuredevicescanbeupgradedtoEnterasyspolicy‐capableswitchesor

RFC3580‐capableswitches to

obtainthesecuritybenefitsofout‐of‐bandNAC.

4. Identify Network Connection Methods

ThepreviousstepshavebeenconcernedwithimplementingNACfortheinternalLAN.Inthis

step,varioustypesofnetworkconnectionmethodsarediscussed,alongwiththeirimpactonNAC

deployment.

Wired LAN

Out‐of‐bandorinlineNACcanbeimplemented,dependingonthecapabilitiesoftheaccessedge

infrastructuredevices.

Wireless LAN

WirelessLANdeploymentsmaybecategorizedintoeitherthickwirelessdeploymentswhere

accesspoints(APs)operateind e pend entlyonthenetwork,orthinwirelessdeploymentswhere

APscommunicatebacktocentrallydeployedwirelessswitchesthatfacilitatecommunication

betweenAPs.

Thick Wireless Deployments

Thickwirelessdeploymentsmayconsistoffull‐featuredAPsthatsupportauthenticationand

authorization.Full‐featuredthickAPsfallintotheintelligentedgecategoryandhavethesame

NACimplicationsasanintelligentwirededge.Inthiscase,intelligentAPsinathickwireless

deploymentcanbeconfiguredwithout‐of

‐bandNACusingtheNACGateway,with

authenticationandauthorizationimplementedonthethickAPs.

OtherthickAPdeploymentsmayconsistofAPsthatdonotsupportauthenticationand/or

authorizationandmerelyactasamediaconverterbetweenthewirelessandwirednetworks.In

previous next