Additional Considerations
Enterasys NAC Design Guide 5-33
assessmentserverstoreachtheend‐systemwhileitisbeingassessed,regardlessofwhetherthe
Assessingpolicy,EnterpriseUserpolicy,oranyotherpolicyroleisutilizedfor assessment.
TheQuarantinePolicyisusedtorestrictnetworkaccesstoend‐systemsthathavefailed
assessment.TheQuarantinepolicyroleis
configuredbydefaultontheNACControllertobeused
astheQuarantinePolicyinNACManager.Thispolicyisrestrictive,allowingDNSandDHCP,and
redirectingwebtraffictoservebackawebpagestatingtheend‐systemhasbeenrestrictedaccess
becauseitisdeemednoncompliant.Allothertypes
oftrafficarediscarded.Ifitisdesiredtoopen
networkaccesswhenanend‐systemfailstheassessment,theuseoftheQuarantinePolicycanbe
disabledintheNACConfigurationortheEnterpriseUserpolicyrolecanbeselectedasthe
QuarantinePolicy.
Unregistered Policy
IfMAC(network)registrationistobeconfiguredonLayer2NACControllers,theUnregistered
policyroleconfiguredbydefaultontheNACControllercanbeusedfortheAcceptPolicyof
unregistereddevices.Thispolicyisrestrictive,allowingDNSandDHCP,andredirectingweb
traffictoservebackaregistration
webpagestatingtheend‐systemhasbeenrestrictedaccess
becauseithasnotyetregistered.Allothertypesoftrafficarediscarded.
Additional Considerations
Thissectionpresentsadditionaldesignconsiderationsforbothinlineandout‐of‐bandNAC
deployments.
NAC Deployment With an Intrusion Detection System (IDS)
NACdeploymentsthatimplementend‐systemassessmentcomplementnetworking
environmentswithIDStechnologiesthatdetectreal‐timesecurityeventsonthenetwork.While
end‐systemassessmentdeterminesthesecuritypostureofconnectingdevicesand mitigates
threatsposedbyvulnerableend‐systems,itdoesnotdeterminetheenduserʹsintentions,whether
maliciousorbenevolent.Therefore,IDStechnologiescanmonitorhowanend‐systemutilizes
networkresourcesafterNAChasvalidatedthesecurityposturecomplianceoftheend‐system.
However,end‐systemassessmentsutilizedinNACmaybeclassifiedbyanIDS(dependingonits
configuration)asanattack.Therefore,ifthe
trafficfromtheassessmentservertraversesanetwork
linkthatismonitoredbyanIDSsensor,theIDSmustbeconfiguredtonotgeneratesecurityevents
fortrafficsourcedfromtheassessmentserver’sIPaddress.ThesameappliesforIPSsystems.
NAC Deployment With NetSight ASM
NetSightASMcanbeconfiguredtonotifythelocallyinstalledNACManagertodynamically
configureaMACoverrideforathreatMACaddressonthenetwork.Whenasecuritythreatis
detectedonthenetwork,eitherthroughEnterasysDragonIDSorathird‐partydevice,andthe
securitythreatiscommunicated
toNetSightASMforanautomatedresponse,ASMcanthen
quarantinethesourceoftheattackat theportofconnectionusingpolicy,andalsocommunicate
thisquarantineactiontoNAC.Iftheend‐systemsourcingthesecuritythreatmovestoadifferent
portonthenetwork,theend‐system
willremainquarantined,duetoadynamicallyconfigured
MACoverride,toprotectthenetworkfromthepossibilityoffutureattacks.Therefore,the
deploymentofNACnotonlyproactivelyprotectsthenetworkfromsecuritythreatsposedby
vulnerableend‐systems,butitalsoempowersthenetworkʹsdynamicresponsecharacteristicsto
real
‐timethreatsdetectedfromend‐systems.