Survey the Network
Enterasys NAC Design Guide 4-9
Ifthenetworkinfrastructuredoesnotcontainintelligentdevicesattheedgeordistributionlayer,
theninlineNACusingtheNACControllerastheauthorizationpointforconnectingend‐systems
mustbeimplemented.Thisisnotassecureasout‐of‐bandNACbecausetheauthorizationpoint
forend‐sy stemsis
locateddeeperintothenetworkattheNACController.WithinlineNAC,a
quarantinedend‐system,whilerestrictedfromnetworkaccesstoresourcesupstreamfromthe
NACController,isstillabletointeractopenlywithresourcesandassetsonthenetwork
downstreamfromtheNACController.However,anadvantageof
theNACControlleristhatit
providesnetworkaccesscontrolwithoutrequiringtheupgradeoftheaccesslayerordistribution
layerofthenetwork.
Furthermore,itisimportanttonotethattheNACControllerandNACGatewaycanbedeployed
concurrentlyinthenetworkforthesimultaneousimplementationofinlineand
out‐of‐bandNAC,
allcentrallymanagedfromtheNetSightNACManager.TheNACGatewaycanbeutilizedfor
areasofthenetworkwhereintelligentswitchesreside,whiletheNACControllercanbe
positionedinlineforsegmentsofthenetworkwherenon‐intelligentdevicesexist.
Ifthedeploymentofout‐of
‐bandNACisdesiredforanetworkwithnon‐intelligentaccesslayer
devices,thefollowingoptionsshouldbeconsidered:
• DistributionlayerinfrastructuredevicescanbestrategicallyupgradedtoEnterasysMatrixN‐
Seriesdevicesthatarecapableofindividuallyauthenticatinganduniquelyauthorizing
multipledevicesconnectedtoasingleport.Mostof
thesecuritybenefitsofout‐of‐bandNAC
usingEnterasyspolicycanbeobtainedbyimplementingauthorizationatthedistribution
layerinsteadofatthe portofconnectionintheaccesslayer.
• AccesslayerinfrastructuredevicescanbeupgradedtoEnterasyspolicy‐capableswitchesor
RFC3580‐capableswitches to
obtainthesecuritybenefitsofout‐of‐bandNAC.
4. Identify Network Connection Methods
ThepreviousstepshavebeenconcernedwithimplementingNACfortheinternalLAN.Inthis
step,varioustypesofnetworkconnectionmethodsarediscussed,alongwiththeirimpactonNAC
deployment.
Wired LAN
Out‐of‐bandorinlineNACcanbeimplemented,dependingonthecapabilitiesoftheaccessedge
infrastructuredevices.
Wireless LAN
WirelessLANdeploymentsmaybecategorizedintoeitherthickwirelessdeploymentswhere
accesspoints(APs)operateind e pend entlyonthenetwork,orthinwirelessdeploymentswhere
APscommunicatebacktocentrallydeployedwirelessswitchesthatfacilitatecommunication
betweenAPs.
Thick Wireless Deployments
Thickwirelessdeploymentsmayconsistoffull‐featuredAPsthatsupportauthenticationand
authorization.Full‐featuredthickAPsfallintotheintelligentedgecategoryandhavethesame
NACimplicationsasanintelligentwirededge.Inthiscase,intelligentAPsinathickwireless
deploymentcanbeconfiguredwithout‐of
‐bandNACusingtheNACGateway,with
authenticationandauthorizationimplementedonthethickAPs.
OtherthickAPdeploymentsmayconsistofAPsthatdonotsupportauthenticationand/or
authorizationandmerelyactasamediaconverterbetweenthewirelessandwirednetworks.In