Support User Manuals

Enterasys Networks 9034385 Plumbing Product User Manual

Open as PDF

of 98

Additional Considerations

Enterasys NAC Design Guide 5-33

assessmentserverstoreachtheend‐systemwhileitisbeingassessed,regardlessofwhetherthe

Assessingpolicy,EnterpriseUserpolicy,oranyotherpolicyroleisutilizedfor assessment.

TheQuarantinePolicyisusedtorestrictnetworkaccesstoend‐systemsthathavefailed

assessment.TheQuarantinepolicyroleis

configuredbydefaultontheNACControllertobeused

astheQuarantinePolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,and

redirectingwebtraffictoservebackawebpagestatingtheend‐systemhasbeenrestrictedaccess

becauseitisdeemednoncompliant.Allothertypes

oftrafficarediscarded.Ifitisdesiredtoopen

networkaccesswhenanend‐systemfailstheassessment,theuseoftheQuarantinePolicycanbe

disabledintheNACConfigurationortheEnterpriseUserpolicyrolecanbeselectedasthe

QuarantinePolicy.

Unregistered Policy

IfMAC(network)registrationistobeconfiguredonLayer2NACControllers,theUnregistered

policyroleconfiguredbydefaultontheNACControllercanbeusedfortheAcceptPolicyof

unregistereddevices.Thispolicyisrestrictive,allowingDNSandDHCP,andredirectingweb

traffictoservebackaregistration

webpagestatingtheend‐systemhasbeenrestrictedaccess

becauseithasnotyetregistered.Allothertypesoftrafficarediscarded.

Additional Considerations

Thissectionpresentsadditionaldesignconsiderationsforbothinlineandout‐of‐bandNAC

deployments.

NAC Deployment With an Intrusion Detection System (IDS)

NACdeploymentsthatimplementend‐systemassessmentcomplementnetworking

environmentswithIDStechnologiesthatdetectreal‐timesecurityeventsonthenetwork.While

end‐systemassessmentdeterminesthesecuritypostureofconnectingdevicesand mitigates

threatsposedbyvulnerableend‐systems,itdoesnotdeterminetheenduserʹsintentions,whether



maliciousorbenevolent.Therefore,IDStechnologiescanmonitorhowanend‐systemutilizes

networkresourcesafterNAChasvalidatedthesecurityposturecomplianceoftheend‐system.

However,end‐systemassessmentsutilizedinNACmaybeclassifiedbyanIDS(dependingonits

configuration)asanattack.Therefore,ifthe

trafficfromtheassessmentservertraversesanetwork

linkthatismonitoredbyanIDSsensor,theIDSmustbeconfiguredtonotgeneratesecurityevents

fortrafficsourcedfromtheassessmentserver’sIPaddress.ThesameappliesforIPSsystems.

NAC Deployment With NetSight ASM

NetSightASMcanbeconfiguredtonotifythelocallyinstalledNACManagertodynamically

configureaMACoverrideforathreatMACaddressonthenetwork.Whenasecuritythreatis

detectedonthenetwork,eitherthroughEnterasysDragonIDSorathird‐partydevice,andthe

securitythreatiscommunicated

toNetSightASMforanautomatedresponse,ASMcanthen

quarantinethesourceoftheattackat theportofconnectionusingpolicy,andalsocommunicate

thisquarantineactiontoNAC.Iftheend‐systemsourcingthesecuritythreatmovestoadifferent

portonthenetwork,theend‐system

willremainquarantined,duetoadynamicallyconfigured

MACoverride,toprotectthenetworkfromthepossibilityoffutureattacks.Therefore,the

deploymentofNACnotonlyproactivelyprotectsthenetworkfromsecuritythreatsposedby

vulnerableend‐systems,butitalsoempowersthenetworkʹsdynamicresponsecharacteristicsto

real

‐timethreatsdetectedfromend‐systems.

previous